Search

published date: June 2, 2025

CVE-2025-49113 : Remote Code Execution Vulnerability

Roundcube Webmail - Jun2025

Description

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Product(s):

  • Roundcube Webmail

Question to Ask Vendors:

  1. Can you confirm if you have updated all instances of Roundcube Webmail to versions 1.5.10 or 1.6.11 to mitigate the risk of CVE-2025-49113 and CVE-2024-42009?
  2. Have you implemented measures to monitor server logs for POST requests to program/actions/settings/upload.php that include unusually large or nonstandard serialized data, as recommended in the advisory?
  3. Have you reviewed and adjusted file permissions to ensure that the webserver user has only the minimum necessary filesystem permissions to limit post-exploitation damage?
  4. Have you audited all authenticated user accounts for suspicious configuration changes or unexpected mail forwarding rules as a part of your remediation process for CVE-2025-49113?

READY TO GET RESULTS YOU CAN TRUST?