EUVD-2025-16605

| CVE-2025-49113 CRITICAL
2025-06-02 [email protected] GHSA-8j8w-wwqc-x596
9.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2025-16605
Patch Released
Mar 14, 2026 - 16:47 nvd
Patch available
PoC Detected
Feb 23, 2026 - 13:24 vuln.today
Public exploit code
Added to CISA KEV
Feb 23, 2026 - 13:24 cisa
CISA KEV
CVE Published
Jun 02, 2025 - 05:15 nvd
CRITICAL 9.9

Tags

Roundcube PHP RCE Deserialization Authentication Bypass Webmail Debian Linux Redhat Suse

Description

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Analysis

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes.

Technical Context

The vulnerability exists in program/actions/settings/upload.php where the _from parameter from the URL is not validated before use. An authenticated user can inject a crafted value that triggers PHP's unserialize() on attacker-controlled data. Using POP (Property Oriented Programming) gadget chains available in Roundcube's codebase or dependencies, the attacker achieves arbitrary PHP code execution. Roundcube is one of the most deployed webmail solutions, used by hosting providers, enterprises, and government organizations.

Affected Products

['Roundcube Webmail before 1.5.10', 'Roundcube Webmail 1.6.x before 1.6.11']

Remediation

Upgrade Roundcube to 1.5.10+ or 1.6.11+ immediately. This is emergency priority given the 90% EPSS. If unable to patch, restrict access to the upload endpoint. Audit mail server for signs of compromise. Review recently sent emails for unauthorized access indicators.

Priority Score

210
Low Medium High Critical
KEV: +50
EPSS: +90.4
CVSS: +50
POC: +20

Vendor Status

Ubuntu

Priority: High
roundcube
Release Status Version
upstream released 1.6.11+dfsg-1
bionic released 1.3.6+dfsg.1-1ubuntu0.1~esm5
focal released 1.4.3+dfsg.1-1ubuntu0.1~esm5
jammy released 1.5.0+dfsg.1-2ubuntu0.1~esm4
noble released 1.6.6+dfsg-2ubuntu0.1
oracular released 1.6.8+dfsg-2ubuntu0.1
plucky released 1.6.10+dfsg-1ubuntu0.1
xenial released 1.2~beta+dfsg.1-0ubuntu1+esm6
questing not-affected 1.6.11+dfsg-1
USN-7584-1

Debian

Bug #1107073
roundcube
Release Status Fixed Version Urgency
bullseye fixed 1.4.15+dfsg.1-1+deb11u5 -
bullseye (security) fixed 1.4.15+dfsg.1-1+deb11u7 -
bookworm fixed 1.6.5+dfsg-1+deb12u5 -
bookworm (security) fixed 1.6.5+dfsg-1+deb12u7 -
trixie (security), trixie fixed 1.6.13+dfsg-0+deb13u1 -
forky, sid fixed 1.6.13+dfsg-1 -
(unstable) fixed 1.6.11+dfsg-1 -
DLA-4211-1 DSA-5934-1

Share

EUVD-2025-16605 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy