Roundcube RCE: Dark web activity signals imminent attacks (CVE-2025-49113)

With an exploit for a critical Roundcube vulnerability (CVE-2025-49113) being offered for sale on underground forums and a PoC exploit having been made public, attacks exploiting the flaw are incoming and possibly already happening.

According to the Shadowserver Foundation, there is no lack of possible targets: around 84,000 internet-facing installations – predominantly in Europe, Asia, and North America – are still unpatched.

What is Roundcube?

Roundcube is a free and open-source web-based email client that’s designed to be run on standard web servers, usually a Linux server running Apache or Nginx, with PHP and a database like MySQL or PostgreSQL. Once set up and configured to connect to an IMAP email server, users can log in via a web browser to send and receive emails.

Roundcube is used widely, by individuals and institutions that host their own mail servers and want to retain control of their data. It’s used by academic institutions, European government agencies, healthcare organizations, web hosting providers, NGOs, etc.

Its popularity with some of these institutions have made Roundcube vulnerabilities a prized tool for state-sponsored attackers engaged in cyber espionage.

About CVE-2025-49113

CVE-2025-49113 is a PHP object deserialization vulnerability that can be exploited by attackers to achieve remote code execution on the underlying server and thuse to fully compromise it.

To deploy the exploit, they must be able to log in to the server (e.g., with a basic user account).

CVE-2025-49113 affects Roundcube versions up to and including version 1.5.9, and versions 1.6.0 to 1.6.10. It has been patched in versions 1.5.10 and 1.6.11, released on June 1, 2025.

The vulnerability has been privately reported by Kirill Firsov, the CEO of cybersecurity company FearsOff, who initially refrained from publishing technical details and a PoC exploit.

Unfortunately, the public availability of the patch on GitHub allowed threat actors to ferret out and effectively weaponize the flaw within 48 hours. With the cat out of the bag (so to speak), Firsov released his own PoC exploit, “to give defenders equal ground before further exploitation escalates and to provide transparency and technical accuracy in understanding the issue.

“Roundcube has basically become the default synonym for ‘webmail client,’ and not just because people like it – it’s because hosting providers love throwing it in for free. You’ll find it proudly bundled by Hostinger, GoDaddy, Dreamhost, OVH, Gandi… basically everyone who’s ever sold you shared hosting for $3.99/month,” Firsov commented.

He also pointed out that popular control panels such as cPanel and Plesk also include Roundcube.

What to do?

Roundcube users have been urged to upgrade to a version with the fix as soon as possible and should consider “monitoring file uploads, session activity, and other indicators tied to this attack vector.”

Users should also patch the bundled versions by updating those solutions when vendors make updates available.

In related news, CERT Polska has flagged a spear phishing campaign that has been targeting Polish entities via CVE-2024-42009, an XSS bug that may allow them to steal the emails and account password of a victim via a crafted e-mail message.

“According to incident analysis in one of the affected entities, after successfully harvesting user credentials, the attackers then move on to analyze the mailbox contents, download the address book, and in some cases, use the account to disseminate further phishing messages,” the team shared.

“While we haven’t seen any signs of such exploitation, it’s worth noting that a new vulnerability in Roundcube — discovered just this week (CVE-2025-49113) — could be combined with an account compromise vulnerability to form a highly effective attack chain.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!