Cyber Resilience

CVE-2025-49113

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 02 June 2025

Published
02 June 2025
Modified
23 February 2026
KEV Added
20 February 2026
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9047 99.6th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49113 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Roundcube Webmail. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Roundcube Webmail before version 1.5.10 and 1.6.x before 1.6.11 contains a deserialization flaw in program/actions/settings/upload.php where the _from URL parameter is not validated, allowing PHP object injection that leads to remote code execution. The issue is tracked as CWE-502 and carries a CVSS 3.1 score of 9.9 reflecting network-accessible attack with low complexity and high impact across confidentiality, integrity, and availability.

Authenticated users can supply a crafted _from parameter to trigger the deserialization and execute arbitrary code on the server. Because the vector requires only a valid account and no user interaction, the flaw enables straightforward post-authentication compromise of affected installations.

Public commits and the associated pull request on the Roundcube repository show that the maintainers addressed the input validation gap in the fixed releases; administrators should upgrade to 1.5.10 or 1.6.11 and verify that the patched upload.php is deployed. The EPSS score has reached a peak of 0.9211 with a current value of 0.9047, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

CWE(s)
KEV Date Added
20 February 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

roundcube
webmail
≤ 1.5.10 · 1.6.0 — 1.6.11
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the _from parameter before it reaches unserialize() in upload.php, blocking the malicious serialized object that enables RCE.

prevent

Mandates timely application of the vendor patches (1.5.10/1.6.11) that add the missing input sanitization referenced in commits 0376f69e, 7408f313 and c50a07d8.

detect

Requires integrity verification mechanisms that can detect unauthorized code or object modifications resulting from successful deserialization.

References