84,000+ Roundcube Servers at Risk from Active Exploit
▼ Summary
– Over 84,000 Roundcube webmail installations are vulnerable to CVE-2025-49113, a critical RCE flaw with a public exploit, affecting versions 1.1.0 through 1.6.10.
– The flaw stems from unsanitized $_GET[‘_from’] input, enabling PHP object deserialization and session corruption when session keys begin with an exclamation mark.
– Hackers reverse-engineered the patch to create a working exploit, sold on underground forums, despite exploitation requiring authentication.
– Roundcube is widely used in shared hosting and critical sectors, with 84,925 vulnerable instances detected globally, primarily in the U.S., India, and Germany.
– Administrators are urged to update to patched versions (1.6.11 or 1.5.10) or implement mitigations like restricting access and disabling file uploads.
A critical vulnerability in Roundcube webmail servers is putting over 84,000 systems at risk of remote code execution attacks. Tracked as CVE-2025-49113, this security flaw affects versions 1.1.0 through 1.6.10 of the popular open-source email client, leaving installations exposed if left unpatched.
The issue stems from improper input sanitization in the `$GET[‘from’]` parameter, which can trigger PHP object deserialization and corrupt user sessions—particularly when session keys start with an exclamation mark. Security researcher Kirill Firsov identified the bug and reported it, prompting a fix in version 1.6.11 and 1.5.10 on June 1, 2025. However, threat actors quickly reverse-engineered the patch to create a working exploit, which has since surfaced on underground hacking forums.
While exploiting this vulnerability requires authentication, attackers claim they can bypass this hurdle through CSRF attacks, credential scraping, or brute-force techniques. Firsov has published technical details to help organizations detect and mitigate potential breaches, warning that active exploitation attempts are highly probable.
Roundcube’s widespread adoption makes this flaw particularly dangerous. The software powers email services for major hosting providers like GoDaddy, Hostinger, and OVH, along with government, education, and corporate networks. Over 1.2 million instances are publicly accessible, with The Shadowserver Foundation identifying 84,925 vulnerable servers as of June 8, 2025. The highest concentrations are in the United States (19,500), India (15,500), and Germany (13,600), followed by France, Canada, and the UK.
Given the severity of the threat, administrators should prioritize updating to the latest patched versions immediately. If immediate upgrades aren’t feasible, experts recommend:
- Restricting webmail access to trusted networks
- Disabling file uploads
- Implementing CSRF protections
- Blocking high-risk PHP functions
- Monitoring logs for signs of exploitation
Though no confirmed attacks have been reported yet, the availability of a working exploit increases the likelihood of widespread abuse. Proactive measures are essential to prevent potential data breaches and system compromises.
(Source: BLEEPING COMPUTER)
