Critical Roundcube Webmail Exploit Sold as Tech Details Leak
▼ Summary
– Hackers are exploiting CVE-2025-49113, a critical vulnerability in Roundcube webmail allowing remote code execution, impacting versions 1.1.0 through 1.6.10.
– The flaw, present for over a decade, was patched on June 1st, but attackers quickly reverse-engineered the fix and began selling exploits on hacker forums.
– The vulnerability, rated 9.9/10 in severity, stems from unsanitized input in the $_GET[‘_from’] parameter, enabling PHP object deserialization.
– Roundcube is widely used by hosting providers (e.g., GoDaddy, OVH) and organizations, with over 1.2 million instances detected online, making it a high-value target.
– The researcher who discovered the flaw published technical details early due to active exploitation, noting exploit prices can reach $50,000 in underground markets.
A critical vulnerability in Roundcube webmail software is now being actively exploited after hackers reverse-engineered the patch and began selling working exploits online. The flaw, tracked as CVE-2025-49113, affects versions 1.1.0 through 1.6.10 of the open-source email platform, which is widely used by hosting providers and organizations worldwide.
The security issue, which remained undetected for over a decade, allows remote code execution (RCE) after authentication and carries a severity rating of 9.9 out of 10. Cybersecurity experts have labeled it an “email armageddon” due to its potential impact. The vulnerability stems from improper sanitization of the `$GET[‘from’]` parameter, leading to PHP object deserialization attacks.
Kirill Firsov, CEO of FearsOff and the researcher who discovered the flaw, decided to release technical details ahead of the standard disclosure timeline after confirming active exploitation. “With proof of exploits circulating in underground markets, defenders need immediate visibility,” Firsov stated. Attackers reportedly reverse-engineered the patch within days, developing a weaponized exploit now being sold on hacker forums.
While authentication is required to trigger the exploit, threat actors claim they can bypass this hurdle by extracting credentials from logs, brute-forcing access, or leveraging cross-site request forgery (CSRF) techniques. Some vulnerability brokers are offering up to $50,000 for a functional Roundcube RCE exploit, highlighting its high value in cybercriminal circles.
Roundcube’s widespread adoption makes this flaw particularly dangerous. The software is embedded in hosting platforms like GoDaddy, Hostinger, and OVH, and is used by government agencies, universities, and corporations. Internet scans reveal over 1.2 million exposed instances, making it a prime target. Firsov noted that during penetration tests, encountering Roundcube is more common than spotting SSL misconfigurations—a testament to its massive footprint.
Administrators are urged to apply the latest patches immediately. Given the exploit’s availability and the platform’s prevalence, delays could lead to widespread compromise of email systems. Firsov’s demonstration video, though using a preliminary CVE identifier (CVE-2025-48745), underscores the urgency—attackers are already capitalizing on unpatched servers.
The situation serves as a stark reminder of how quickly cybercriminals weaponize vulnerabilities, especially in widely deployed software. Organizations relying on Roundcube must prioritize updates and monitor for suspicious activity, as the threat landscape has shifted from theoretical risk to active attacks.
(Source: BLEEPINGCOMPUTER)
