Skip to main content
CVE 2025

Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization (CVE-2025-49113)

VIP10 PointsCVE-2025-49113
Start this lab on Hackviser

Overview

Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization, tracked as CVE-2025-49113, affects Roundcube Webmail deployments before the fixed 1.5.10 and 1.6.11 releases. Roundcube is a widely deployed PHP webmail client, especially in hosting environments, so authenticated code execution can threaten mailboxes, web server privileges, and shared hosting infrastructure.

Vulnerability Overview

CVE-2025-49113 is a PHP object deserialization vulnerability reachable by authenticated users. Official records identify insufficient validation of the _from parameter in program/actions/settings/upload.php, which can lead to unsafe deserialization and remote code execution.

The vulnerability is post-authentication, meaning an attacker needs a valid Roundcube account or another way to reach authenticated functionality. In shared mail environments, that requirement can still be realistic because normal mailbox users often have access to the webmail interface.

Impact

The vulnerability is rated Critical with a CVSS 3.1 score of 9.9 by the CVE record. Successful exploitation can allow an authenticated remote user to execute code with the privileges of the web server process.

CVE-2025-49113 is listed in the CISA Known Exploited Vulnerabilities catalog, so affected internet-facing Roundcube deployments should be prioritized for remediation.

Vulnerability Scope

The affected versions are Roundcube Webmail before 1.5.10 and Roundcube 1.6.x before 1.6.11. Fixed versions are 1.5.10 and 1.6.11.

The highest-risk systems are public Roundcube instances where untrusted users can authenticate and the installation has not been upgraded to a fixed version.

Lab Focus

This Hackviser lab focuses on understanding how authenticated PHP object deserialization can lead to server-side code execution. You will practice identifying affected Roundcube versions, recognizing the post-authentication attack surface, and mapping deserialization risk to secure webmail operations.

Resources