CVE-2025-49113
Published: 02 June 2025
Summary
CVE-2025-49113 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Roundcube Webmail. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Roundcube Webmail before version 1.5.10 and 1.6.x before 1.6.11 contains a deserialization flaw in program/actions/settings/upload.php where the _from URL parameter is not validated, allowing PHP object injection that leads to remote code execution. The issue is tracked as CWE-502 and carries a CVSS 3.1 score of 9.9 reflecting network-accessible attack with low complexity and high impact across confidentiality, integrity, and availability.
Authenticated users can supply a crafted _from parameter to trigger the deserialization and execute arbitrary code on the server. Because the vector requires only a valid account and no user interaction, the flaw enables straightforward post-authentication compromise of affected installations.
Public commits and the associated pull request on the Roundcube repository show that the maintainers addressed the input validation gap in the fixed releases; administrators should upgrade to 1.5.10 or 1.6.11 and verify that the patched upload.php is deployed. The EPSS score has reached a peak of 0.9211 with a current value of 0.9047, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16605
Vulnerability details
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
- CWE(s)
- KEV Date Added
- 20 February 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the _from parameter before it reaches unserialize() in upload.php, blocking the malicious serialized object that enables RCE.
Mandates timely application of the vendor patches (1.5.10/1.6.11) that add the missing input sanitization referenced in commits 0376f69e, 7408f313 and c50a07d8.
Requires integrity verification mechanisms that can detect unauthorized code or object modifications resulting from successful deserialization.