09 – 15 June 2025 After our last CVE of the Week post exploring a critical vulnerability in the open source landscape, we are back again in the Microsoft ecosystem, as it’s just past Patch Tuesday, which keeps on giving (and more importantly, fixing) weaknesses …
It’s rare that a week goes by without a critical vulnerability being discovered and this time is no exception.
This critical flaw, tracked as CVE-2025-49113, has a 9.9 CVSS base score, almost reaching a straight 10/10. The weakness is a prime example of improper input validation, allowing any authenticated user to trivially exploit four PHP endpoints using the _from parameter: program, actions, settings, and upload.php are all vulnerable to object deserialization. This allows for full system compromise through remote code execution, affecting all three pillars of the CIA triad.
While the fact that unauthenticated users can’t reach the affected endpoints could give some relief, administrators must still consider insider threats. Furthermore, there are self-registration Roundcube plugins for various mail server backends, which would allow anyone to register an account and exploit the server.
Also, if you’ve been putting off upgrading for a long time, this attack might be chained with the various XSS issues previously disclosed in Roundcube, like CVE-2024-37383, which allows injecting JS code via SVG animate attributes. This one has a publicly available PoC, which only requires the recipient to click inside a maliciously crafted email’s body to execute the payload, meaning it could lead to unauthenticated RCE.
Luckily, Roundcube developers were quick to fix the validation logic in versions 1.6.11 and 1.5.10, adding an is_simple_string() function to the input handler code, which discards any malicious characters, rendering the exploits useless.
As always, the best way to stay secure is updating as quickly as possible, but if that’s not possible, you can alternatively utilize a WAF and make sure it is configured to reject requests with suspicious content. We also recommend inspecting the access logs for traces of successful exploitation.
Official advisory: https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
is_simple_string() patch: https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
XSS CVE from last year: https://nvd.nist.gov/vuln/detail/cve-2024-37383
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.
Final thought About the Author: Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions. She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.
One idea that continues to guide his leadership comes from his time at Microsoft. When he joined the company in 2008, he was struck by a powerful metaphor. If we sit in one boat, we must not only row well. We must also remain in …
Is the cyberattacks stronger than the cybersecurity? “No, stronger it is not. Quicker, easier, more seductive,”.
This is the sixth episode of a story related to individuals who, in a matter of moments, transition from “employees” to “rescuers” in the immediate aftermath of a destructive cyberattack.
“The fact is, you have to do things for the current, but also the after. You must pay attention to people’s sensibilities. Even if we’re in a period of crisis, we mustn’t just have financial objectives, catering objectives or customer recovery objectives. We have to think about the well-being of our teams, to keep as many staff as possible. There’s no point in getting the business back on its feet if everyone leaves.”
My book is dedicated to encouraging companies to consider the human aspect in the context of cyber-attacks. But coaching has only been part of my professional practice for the past 4 years. For over 25 years now, my career has been centered on helping customers strengthen their data resilience. This scenario is freely inspired by one of my corporate clients …
In this episode, I will fictionize a cyberattack, but by suing what I call a winning scenario. A winning scenario is when a company consider security as a strategic priority. No discussion, security is part of the daily normality
Once upon a time, there was a company that had security in its DNA. Cyberattacks are one of the problems of the modern world, and preparing for this eventuality is a necessity. It also knows that the best is the enemy of the good, and that security requires more discipline than expertise.
This situation is beneficial for the company, which recognizes the crucial role of IT security and allocates the necessary resources to develop a robust cyber resilience strategy. This strategy is based on risk analysis. The company has developed clear and achievable security policies that balance business requirements and available resources. IT and IT security departments have sufficient resources, expertise, and equipment to detect risks, develop effective countermeasures, and prevent systems from becoming obsolete. All staff members receive customized cybersecurity training based on their job responsibilities. This training is based on a positive approach. This enables them to respond effectively to potential attacks through regular simulations. They also take a proactive and self-critical approach to assessing their own skills and processes. All levels of management participate in cyber crisis management workshops, with annual reviews and updates of the crisis plan.
This corporate vision will significantly reduce the risk of internal cyberattacks. Although no system is completely risk-free, a consistent and well-structured approach helps to reduce employee stress and anxiety, thereby promoting a positive and productive work environment. This further reduces employees’ motivation to harm the company.
In the event of an attack, it will likely be detected quickly thanks to the constant vigilance of the teams and the proactive approach of everyone involved. Well-established and consistently followed incident management protocols ensure rapid decision-making. System protection will always be the top priority. Effective crisis management, combined with a clear understanding of everyone’s responsibilities, ensures smooth and efficient internal and external communication. Even if the impact is more serious, the robust response and containment processes of a high-performing company will be triggered. After being quarantined and thoroughly examined by the emergency response team, an assessment of the environment and its readiness for production resumption is initiated, in accordance with rigorous procedures.
In the event of an emergency, a stand-alone backup version can be quickly implemented. This standard practice ensures that the process is carried out efficiently and meticulously. With detailed instructions on business operations, software applications, and their interconnections, restoration efforts will be thorough and organized.
These comprehensive measures, which include thorough planning and proactive testing, ensure a smooth resumption of business. In addition, by keeping customers and suppliers informed during this period, everyone involved can make prudent decisions.
In this case, no one is designated as a hero. Rather, cyberattack management is a top priority, deeply embedded in a culture of risk management and individual autonomy. As a result, a cyberattack is viewed as a manageable event rather than a crisis.
In this scenario, no individual is designated as a hero. Managing cyberattacks is a priority, rooted in a culture of risk-aware management and individual autonomy, making a cyberattack a manageable incident rather than a crisis.
This is a Hero-less narrative.
No Hero, no fall of the Heroes!
THINGS TO REMEMBER
In cybersecurity, it’s not if you’ll get breached — it’s when. So isolate, authenticate, replicate… and don’t forget: your backup is only as good as your last restore test.
Didier Annet is an Operational & Data Resilience Specialist and a Certified Professional Coach dedicated to empowering individuals and teams to navigate the complexities of an ever-changing digital landscape.
Find him on LinkedIn: Didier Annet
Learn more in his book:
📖 Guide de survie aux cyberattaques en entreprise et à leurs conséquences psychologiques: Que fait-on des Héros ? (French Edition) – Available on Amazon
English version:
“Survival Guide – The Human Impact of Cyberattacks and the Untold Story of Those Who Respond”
“What Happens to Heroes?”
Available on Amazon
