_.png)
![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] FileJump 2TB Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
_sleepyfellow_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![watchOS 26 May Bring Third-Party Widgets to Control Center [Report]](https://www.iclarified.com/images/news/97520/97520/97520-640.jpg)
![AirPods Pro 2 On Sale for $169 — Save $80! [Deal]](https://www.iclarified.com/images/news/97526/97526/97526-640.jpg)
![Apple Shares Official Trailer for 'The Wild Ones' [Video]](https://www.iclarified.com/images/news/97515/97515/97515-640.jpg)
10-Year-Old Roundcube RCE Vulnerability Let Attackers Execute Malicious Code
A decade-old critical security vulnerability has been discovered in Roundcube Webmail that could allow authenticated attackers to execute arbitrary code on vulnerable systems, potentially affecting millions of installations worldwide. The flaw, tracked as CVE-2025-49113, carries an alarming CVSS score of 9.9 out of 10.0, marking it as one of the most severe vulnerabilities discovered in […] The post 10-Year-Old Roundcube RCE Vulnerability Let Attackers Execute Malicious Code appeared first on Cyber Security News.
A decade-old critical security vulnerability has been discovered in Roundcube Webmail that could allow authenticated attackers to execute arbitrary code on vulnerable systems, potentially affecting millions of installations worldwide.
The flaw, tracked as CVE-2025-49113, carries an alarming CVSS score of 9.9 out of 10.0, marking it as one of the most severe vulnerabilities discovered in recent years.
The vulnerability affects all Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11, representing a staggering scope of impact that includes over 53 million hosts globally.
The flaw particularly concerns popular web hosting control panels such as cPanel, Plesk, ISPConfig, and DirectAdmin, which bundle Roundcube as their default webmail solution.
10-Year-Old Roundcube RCE Vulnerability
Kirill Firsov, founder and CEO of Dubai-based cybersecurity firm FearsOff, discovered this post-authenticated remote code execution vulnerability that exploits PHP object deserialization.
The security flaw stems from insufficient validation of the _from parameter in the URL within the program/actions/settings/upload.php file, enabling malicious users to manipulate serialized PHP objects and execute arbitrary code on the server.
Roundcube has historically been a prime target for advanced persistent threat groups. Previous vulnerabilities in the webmail platform have been exploited by nation-state actors including APT28 and Winter Vivern.
Last year, unidentified hackers attempted to exploit CVE-2024-37383 in phishing attacks aimed at stealing user credentials.
More recently, ESET researchers documented APT28’s exploitation of cross-site scripting vulnerabilities in various webmail servers, including Roundcube, to harvest confidential data from governmental entities and defense companies in Eastern Europe.
The Centre for Cybersecurity Belgium has issued urgent warnings, strongly recommending that organizations install updates with the highest priority after thorough testing. Fixed versions are now available with Roundcube Webmail 1.6.11 and 1.5.10 LTS addressing the vulnerability.
FearsOff has indicated plans to publish comprehensive technical details and proof-of-concept code “soon,” following responsible disclosure practices to allow sufficient time for affected parties to implement necessary patches.
This approach demonstrates the cybersecurity community’s commitment to providing organizations adequate time to secure their systems before detailed exploitation methods become public.
Organizations using Roundcube Webmail should prioritize immediate patching and implement enhanced monitoring capabilities to detect any suspicious activities that might indicate attempted exploitation of this critical vulnerability.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
The post 10-Year-Old Roundcube RCE Vulnerability Let Attackers Execute Malicious Code appeared first on Cyber Security News.
