Week 23 – Critical flaw in Roundcube

02 – 08 June 2025

Open-source enthusiast sysadmins might be familiar with Roundcube, one of the most popular webmail clients deployed, to be exact, Shodan currently lists over 160,000 publicly available instances. Unfortunately, it has now become the subject of our regular CVE of the Week series.

It’s rare that a week goes by without a critical vulnerability being discovered and this time is no exception.

This critical flaw, tracked as CVE-2025-49113, has a 9.9 CVSS base score, almost reaching a straight 10/10. The weakness is a prime example of improper input validation, allowing any authenticated user to trivially exploit four PHP endpoints using the _from parameter: program, actions, settings, and upload.php are all vulnerable to object deserialization. This allows for full system compromise through remote code execution, affecting all three pillars of the CIA triad.

While the fact that unauthenticated users can’t reach the affected endpoints could give some relief, administrators must still consider insider threats. Furthermore, there are self-registration Roundcube plugins for various mail server backends, which would allow anyone to register an account and exploit the server.

Also, if you’ve been putting off upgrading for a long time, this attack might be chained with the various XSS issues previously disclosed in Roundcube, like CVE-2024-37383, which allows injecting JS code via SVG animate attributes. This one has a publicly available PoC, which only requires the recipient to click inside a maliciously crafted email’s body to execute the payload, meaning it could lead to unauthenticated RCE.

Luckily, Roundcube developers were quick to fix the validation logic in versions 1.6.11 and 1.5.10, adding an is_simple_string() function to the input handler code, which discards any malicious characters, rendering the exploits useless.

As always, the best way to stay secure is updating as quickly as possible, but if that’s not possible, you can alternatively utilize a WAF and make sure it is configured to reject requests with suspicious content. We also recommend inspecting the access logs for traces of successful exploitation.

Official advisory: https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

is_simple_string() patch: https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

XSS CVE from last year: https://nvd.nist.gov/vuln/detail/cve-2024-37383

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.