09 – 15 June 2025 After our last CVE of the Week post exploring a critical vulnerability in the open source landscape, we are back again in the Microsoft ecosystem, as it’s just past Patch Tuesday, which keeps on giving (and more importantly, fixing) weaknesses …
It’s rare that a week goes by without a critical vulnerability being discovered and this time is no exception.
This critical flaw, tracked as CVE-2025-49113, has a 9.9 CVSS base score, almost reaching a straight 10/10. The weakness is a prime example of improper input validation, allowing any authenticated user to trivially exploit four PHP endpoints using the _from parameter: program, actions, settings, and upload.php are all vulnerable to object deserialization. This allows for full system compromise through remote code execution, affecting all three pillars of the CIA triad.
While the fact that unauthenticated users can’t reach the affected endpoints could give some relief, administrators must still consider insider threats. Furthermore, there are self-registration Roundcube plugins for various mail server backends, which would allow anyone to register an account and exploit the server.
Also, if you’ve been putting off upgrading for a long time, this attack might be chained with the various XSS issues previously disclosed in Roundcube, like CVE-2024-37383, which allows injecting JS code via SVG animate attributes. This one has a publicly available PoC, which only requires the recipient to click inside a maliciously crafted email’s body to execute the payload, meaning it could lead to unauthenticated RCE.
Luckily, Roundcube developers were quick to fix the validation logic in versions 1.6.11 and 1.5.10, adding an is_simple_string() function to the input handler code, which discards any malicious characters, rendering the exploits useless.
As always, the best way to stay secure is updating as quickly as possible, but if that’s not possible, you can alternatively utilize a WAF and make sure it is configured to reject requests with suspicious content. We also recommend inspecting the access logs for traces of successful exploitation.
Official advisory: https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
is_simple_string() patch: https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
XSS CVE from last year: https://nvd.nist.gov/vuln/detail/cve-2024-37383
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.
I was already feeling twitchy about the state of critical infrastructure, but it was Ryan Naraine’s article in SecurityWeek – “Misconfigured HMIs Expose U.S. Water Systems to Anyone with a Browser” – that pushed me over the edge. Drawing on new data from Censys, Ryan has laid out in clear, horrifying terms how thousands of Human-Machine Interfaces (HMIs) tied to U.S. water and wastewater systems are exposed to the open internet, many with no passwords at all.
These are the digital control panels for water facilities. They manage everything from pump speeds to chlorine dosing. Some allow manual overrides of safety protocols. In many cases, all you need is a browser and the right URL to access them.
This is not a plot line from Mr. Robot. This is real infrastructure, vulnerable in real time. But sure, let’s keep arguing about fluoride.
What exactly is going on here?
HMIs are meant to give authorised operators a real-time view into critical systems. They were originally built for internal networks – not for the internet. But over time, convenience crept in. Engineers started putting them online for remote monitoring. And somewhere along the way, basic security got left behind.
In many cases, these systems are online with default credentials. In others, they have no authentication at all. Some can be found using simple search engines like Shodan.
And unfortunately, this is not just a theoretical risk. It has already happened:
None of these required deep technical skills or nation-state funding. Just access and opportunity.
How did it get this bad?
In smaller towns and regional areas, most utilities are running on razor-thin budgets. Their focus is on delivering water, not defending against international cyber threats. Many are still relying on legacy systems that were never built with cybersecurity in mind. And while digitisation has made operations more efficient, it has also introduced new, unmanaged risks.
No one meant for things to be this insecure. But without clear standards, without dedicated security resources, and without the money to fix what’s broken, this is where we’ve landed.
Is this just an American problem? Not even close.
The Censys scan focused on U.S. systems, but the issue is global. Industrial control systems are exposed in countries around the world — Australia, the UK, Brazil, Indonesia, Germany. Wherever water infrastructure has been digitised without proper security, the risks are there.
In lower-income regions, systems are often rolled out quickly, with little cyber planning. In wealthier nations, decentralised governance means hundreds of small operators each manage their own infrastructure – and many are flying blind.
Shodan makes this visibility possible for anyone. And unfortunately, that includes people who are not just curious.
What should we be doing about this?
We know what needs to be done. The challenge is the will – and the funding – to do it.
Here’s where to start:
Security is not something we can bolt on later. It has to be built in from the beginning, and it has to be maintained with the same urgency as any other critical safety function.
We have spent decades debating what should go in the water. We have opinions on fluoride, chlorine, and microplastics. Meanwhile, no one stopped to ask whether the control panel was sitting online with no password.
This is not a hypothetical crisis. It is already happening, and it is fixable – but only if we stop treating cybersecurity like someone else’s problem.
At the very least, we should start by locking the door before the taps are turned off.
Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.
She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.
One idea that continues to guide his leadership comes from his time at Microsoft. When he joined the company in 2008, he was struck by a powerful metaphor. If we sit in one boat, we must not only row well. We must also remain in …
The Psychological Impacts of Cyberattacks What I will call the “Heroes” Let’s Rewrite the Story of a Cyberattack – Alternate History of a winning scenario Excerpt From the Interview Typical identification factor: “Right reflexes, right roles — from click to crisis” About the Author Didier …
CyAN is nearing the end of its spring 2025 mentorship programme. We extend a sincere thank you to our members who have agreed to contribute to the development of new talent entering the information security sector: Saba Bahgeri (Australia), Mohammed Shakil Khan (UAE), Mathew Nicho …
