A critical security vulnerability that remained hidden for nearly a decade has been discovered in Roundcube Webmail, potentially affecting over 53 million hosts worldwide. The critical flaw, tracked as CVE-2025-49113 with a maximum CVSS score of 9.9, allows authenticated attackers to execute remote code on vulnerable servers.
Security researcher Kirill Firsov, CEO of FearsOff, uncovered this post-authentication remote code execution vulnerability that has existed undetected since version 1.1.0, spanning approximately 10 years of Roundcube deployments.
The vulnerability stems from improper validation of the _from parameter in the settings upload functionality, leading to dangerous PHP object deserialization attacks.
"Details and PoC will be published soon. We're giving time to all affected parties to make the necessary patches/updates," Firsov said
This type of vulnerability occurs when user-controllable input is processed by PHP's unserialize() function without proper validation, allowing attackers to craft malicious payloads that trigger arbitrary code execution.
Roundcube Webmail is one of the internet's most widely deployed yet invisible email platforms that powers millions of websites worldwide. The software's massive reach stems from its integration into popular hosting control panels like cPanel, Plesk, ISPConfig, and DirectAdmin.
The widespread impact is particularly concerning given Roundcube's extensive deployment across hosting providers, enterprises, and popular control panels including cPanel, Plesk, ISPConfig, and DirectAdmin. Once exploited, attackers could deploy web shells, access sensitive email data, or use compromised servers for further attacks.
Roundcube has released emergency patches addressing this critical flaw. Users must immediately upgrade to version 1.6.11 for the current branch or 1.5.10 for the LTS branch.
Organizations using Roundcube should prioritize immediate updates, as the combination of widespread deployment and the severity of this decade-old vulnerability creates an urgent security risk.