Recent Posts
“What happens to Heroes?” EPISODE #7: The Unsung Heroes of the digital world “
The Psychological Impacts of Cyberattacks What I will call the “Heroes” Excerpts from Interviews with Heroes THINGS TO REMEMBER About the Author Didier Annet is an Operational & Data Resilience Specialist and a Certified Professional Coach dedicated to empowering individuals and teams to navigate the …
Week 24 – Critical vulnerability in Windows is fixed on Patch Tuesday
09 – 15 June 2025 After our last CVE of the Week post exploring a critical vulnerability in the open source landscape, we are back again in the Microsoft ecosystem, as it’s just past Patch Tuesday, which keeps on giving (and more importantly, fixing) weaknesses …
Week 23 – Critical flaw in Roundcube

02 – 08 June 2025
Open-source enthusiast sysadmins might be familiar with Roundcube, one of the most popular webmail clients deployed, to be exact, Shodan currently lists over 160,000 publicly available instances. Unfortunately, it has now become the subject of our regular CVE of the Week series.
It’s rare that a week goes by without a critical vulnerability being discovered and this time is no exception.
This critical flaw, tracked as CVE-2025-49113, has a 9.9 CVSS base score, almost reaching a straight 10/10. The weakness is a prime example of improper input validation, allowing any authenticated user to trivially exploit four PHP endpoints using the _from parameter: program, actions, settings, and upload.php are all vulnerable to object deserialization. This allows for full system compromise through remote code execution, affecting all three pillars of the CIA triad.
While the fact that unauthenticated users can’t reach the affected endpoints could give some relief, administrators must still consider insider threats. Furthermore, there are self-registration Roundcube plugins for various mail server backends, which would allow anyone to register an account and exploit the server.
Also, if you’ve been putting off upgrading for a long time, this attack might be chained with the various XSS issues previously disclosed in Roundcube, like CVE-2024-37383, which allows injecting JS code via SVG animate attributes. This one has a publicly available PoC, which only requires the recipient to click inside a maliciously crafted email’s body to execute the payload, meaning it could lead to unauthenticated RCE.
Luckily, Roundcube developers were quick to fix the validation logic in versions 1.6.11 and 1.5.10, adding an is_simple_string() function to the input handler code, which discards any malicious characters, rendering the exploits useless.
As always, the best way to stay secure is updating as quickly as possible, but if that’s not possible, you can alternatively utilize a WAF and make sure it is configured to reject requests with suspicious content. We also recommend inspecting the access logs for traces of successful exploitation.
Official advisory: https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
is_simple_string() patch: https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
XSS CVE from last year: https://nvd.nist.gov/vuln/detail/cve-2024-37383

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.
Hack the Planet? No. Just Hack the Tap: What exposed water systems tell us about the state of cybersecurity around the world
Final thought About the Author: Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions. She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.