Roundcube RCE Flaw (CVE-2025-49113) Sparks Dark Web Attack Fears
▼ Summary
– A critical Roundcube vulnerability (CVE-2025-49113) is being actively exploited, with 84,000 unpatched installations globally, primarily in Europe, Asia, and North America.
– Roundcube is a widely used open-source webmail client, popular among academic institutions, governments, and hosting providers, making it a target for cyber espionage.
– CVE-2025-49113 is a PHP object deserialization flaw allowing remote code execution if attackers gain basic login access, affecting versions up to 1.5.9 and 1.6.0-1.6.10.
– The vulnerability was privately reported but weaponized quickly after the patch release, prompting the researcher to publish a PoC exploit to aid defenders.
– Users must upgrade to patched versions (1.5.10 or 1.6.11) and monitor for suspicious activity, while CERT Polska warns of potential attack chains combining this flaw with credential theft.
A newly discovered vulnerability in Roundcube webmail (CVE-2025-49113) has security experts warning of potential widespread attacks, with exploit code already circulating on underground forums. The flaw allows attackers to execute malicious code on vulnerable servers, putting thousands of organizations at risk if left unpatched.
Security researchers estimate approximately 84,000 internet-connected Roundcube installations remain exposed, primarily across Europe, Asia, and North America. Many belong to high-value targets, including government agencies, universities, and healthcare providers—making this vulnerability particularly attractive to cybercriminals and state-sponsored hacking groups.
Understanding the Threat
The vulnerability, CVE-2025-49113, stems from a PHP object deserialization flaw, enabling attackers to gain full control over affected servers. Exploitation requires only a basic user account, meaning even low-privileged credentials could serve as an entry point.
Patch Availability and Exploit Risks
Kirill Firsov, CEO of cybersecurity firm FearsOff, initially withheld technical details after privately reporting the issue. However, once threat actors reverse-engineered the patch, he released a proof-of-concept (PoC) exploit to help defenders detect and mitigate attacks.
Firsov emphasized Roundcube’s widespread adoption, noting that major hosting providers like GoDaddy, Hostinger, and OVH frequently include it in their offerings. This broad distribution increases the potential attack surface, especially since many users may not realize they’re running vulnerable instances.
Defensive Measures
In a related development, CERT Polska warned of a spear-phishing campaign exploiting CVE-2024-42009, an XSS flaw in Roundcube. Attackers have been harvesting credentials, exfiltrating email data, and spreading further phishing messages from compromised accounts.
Security teams should remain vigilant—combining credential theft with CVE-2025-49113 could create a devastating attack chain, allowing adversaries to escalate access and maintain persistence on vulnerable systems.
For real-time updates on emerging threats, subscribe to our breaking news alerts and stay ahead of critical vulnerabilities.
(Source: HELPNET Security)
