CVE-2025-49113 is not a vague “update when convenient” webmail bug. It is a Roundcube Webmail remote code execution vulnerability caused by unvalidated input reaching a PHP object deserialization path. The affected upstream versions are Roundcube Webmail before 1.5.10 and the 1.6.x branch before 1.6.11. The vulnerable area named in the public record is program/actions/settings/upload.php, where the _from URL parameter was not validated before later processing. NVD describes the flaw as allowing remote code execution by authenticated users, and maps it to CWE-502, Deserialization of Untrusted Data. (NVD)
The “authenticated” part is important, but it should not make defenders relax. Webmail is not a low-value admin screen used by two trusted operators. Roundcube often sits on public-facing mail portals, shared hosting stacks, organizational webmail deployments, and control-panel-managed servers. A single compromised mailbox can be enough to turn a post-auth vulnerability into a server-side foothold attempt. CISA later added CVE-2025-49113 to its Known Exploited Vulnerabilities catalog, with a February 20, 2026 date added and a March 13, 2026 due date for required action under the KEV entry. (NVD)
Roundcube published security updates 1.6.11 and 1.5.10 on June 1, 2025, stating that both releases fixed a “Post-Auth RCE via PHP Object Deserialization” reported by Kirill Firsov, and strongly recommended updating production Roundcube 1.6.x and 1.5.x installations. (Roundcube) GitHub’s reviewed advisory lists affected Composer package ranges as < 1.5.10 و >= 1.6.0, < 1.6.11, with patched versions 1.5.10 and 1.6.11. (جيثب)
The operational answer is straightforward: patch first, then investigate. The technical answer is more interesting: CVE-2025-49113 shows how a small-looking request parameter in a logged-in feature can become dangerous when it crosses object, session, and deserialization boundaries in a PHP application.
The core facts
| الحقل | What defenders need to know |
|---|---|
| مكافحة التطرف العنيف | CVE-2025-49113 |
| المنتج | Roundcube Webmail |
| فئة الضعف | Post-auth remote code execution through PHP object deserialization |
| الضعف | CWE-502, Deserialization of Untrusted Data |
| Affected upstream versions | Before 1.5.10, and 1.6.x before 1.6.11 |
| Patched upstream versions | 1.5.10 and 1.6.11 |
| Vulnerable area | program/actions/settings/upload.php, specifically handling around _from |
| Attack precondition | The attacker needs authenticated access to Roundcube |
| User interaction | None after the attacker is authenticated |
| CISA KEV status | Added to KEV on February 20, 2026, due March 13, 2026 |
| إجراء فوري | Upgrade or apply vendor-supplied patched packages, then review logs and account activity |
One subtle point: public scoring is not perfectly uniform. NVD currently shows an NVD CVSS v3.1 base score of 8.8 HIGH with scope unchanged, while the CNA score shown on the same NVD page is 9.9 CRITICAL with scope changed. The underlying description is the same: authenticated RCE through unvalidated _from leading to PHP object deserialization. (NVD) That difference matters less than it may seem in day-to-day triage. A webmail RCE affecting an internet-facing login surface, later added to CISA KEV, belongs near the top of a patch queue even if one database view says HIGH and another says CRITICAL. (NVD)
Why a logged-in Roundcube RCE still deserves urgent treatment
Security teams sometimes downgrade authenticated vulnerabilities too aggressively. That instinct can be reasonable for an obscure admin-only feature behind strong access control, but Roundcube has a different risk profile.
A webmail user is not equivalent to a hardened system administrator. Mailboxes are routinely exposed to credential stuffing, password reuse, phishing, OAuth abuse, weak IMAP passwords, and reused hosting-panel credentials. If an attacker can log in as a normal mailbox user, the security boundary has already shifted from “outside the application” to “inside a trusted webmail session.” CVE-2025-49113 matters because its public description says authenticated users can reach server-side code execution in vulnerable versions. (NVD)
Email systems also hold unusually valuable data. A mailbox may contain password reset links, VPN onboarding emails, customer support threads, invoices, internal security alerts, cloud invite links, CI/CD notifications, HR files, and vendor correspondence. Even when a vulnerability does not grant server-side execution, Roundcube bugs have historically been attractive because email is a collection point for identity, trust, and business context.
The Roundcube ecosystem has already seen real targeting. ESET reported that Winter Vivern exploited a Roundcube Webmail zero-day later assigned CVE-2023-5631 in October 2023, targeting European governmental entities and a think tank. That flaw was an XSS issue triggered through a crafted email message, not the same bug as CVE-2025-49113, but it shows why webmail interfaces are valuable targets. (We Live Security) Sonar later described a separate 2024 Roundcube XSS issue, CVE-2024-42009, where viewing a crafted email could allow an attacker to execute JavaScript in the victim’s browser and potentially steal emails, contacts, or credentials. (SonarSource)
CVE-2025-49113 moves the risk to a different layer. Instead of browser-side JavaScript execution in the victim’s session, the public record describes a server-side PHP object deserialization path that can lead to remote code execution for authenticated users. (NVD) That is why the right mental model is not “only logged-in users can reach it.” The better model is “any compromised mailbox account may become a path to code execution on the Roundcube host if the deployment remains vulnerable.”
What changed after the original disclosure
When CVE-2025-49113 first appeared in June 2025, some public advisories stated that public proof-of-concept code existed but that active exploitation had not been confirmed at the time. Censys, for example, described the vulnerability on June 10, 2025, noted public exploit code, and stated that there was no confirmed evidence of active exploitation at the time of writing. It also observed more than 2.47 million exposed Roundcube Webmail instances online at that time, while cautioning that exposure did not automatically mean exploitability. (سينسيس)
That status changed. CISA’s KEV update, reflected on the NVD page, added CVE-2025-49113 on February 20, 2026, with required action to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. (NVD) The Hacker News also reported that CISA added two Roundcube flaws, including CVE-2025-49113, to KEV based on evidence of active exploitation. (أخبار القراصنة)
For defenders, this timeline is a useful lesson. “No known exploitation” is a timestamped statement, not a permanent property. Once exploit details, patch diffs, public PoCs, and exposed services coexist, the risk environment can change quickly. A vulnerability can move from “patch soon” to “patch now” without the underlying code changing at all.
Where the bug lives in the request flow

_from Parameter Reaches a Sensitive Processing BoundaryThe public description points to _from handling in program/actions/settings/upload.php. The Roundcube patch commit for the 1.6 branch is titled “Validate URL parameter in upload code” and changes three files: program/actions/settings/upload.php, program/lib/Roundcube/rcube_utils.php, and a framework test file. (جيثب)
The critical part of the patch is simple and revealing. In upload.php, Roundcube reads _from from the GET parameters, derives a $type value, and then adds validation before continuing. The patch rejects values that do not pass rcube_utils::is_simple_string($type), logs an error saying the _from URL parameter contains disallowed characters, displays an invalid input message, and returns the iframe response. (جيثب)
The same commit adds rcube_utils::is_simple_string(). The helper defines a “simple” string as a non-empty value containing only word characters, dots, and dashes, implemented with a regular expression equivalent to ^[\w.-]+$. (جيثب)
This tells defenders something important. The fix is not a large rewrite of Roundcube’s upload feature. It is a strict input boundary placed in front of a value that should never have contained complex serialized, delimiter-heavy, or structurally meaningful input. The vulnerability is a classic case where a parameter that looks like navigation or UI state can become dangerous because the server later treats it as part of a deeper internal data structure.
PHP object deserialization in plain terms
PHP object deserialization vulnerabilities happen when an application accepts data that can influence reconstructed PHP objects. In PHP, serialized object data can cause classes to be rehydrated. If the application has reachable classes with sensitive behavior in magic methods such as __إيقاظ, __التدمير, __ إلى سلسلة, or initialization paths, attackers may be able to trigger unintended file operations, command execution, SSRF-like behavior, or other side effects. The exact impact depends on the classes available, autoloading behavior, framework code, plugins, and application state.
CWE-502 is broad because the danger is not only “someone called إلغاء التسلسل().” The deeper issue is trust. If an attacker can control data crossing a serialization boundary, or can influence object-like reconstruction through a framework, session handler, cache system, queue, or dependency injection container, the application may be asked to instantiate or process structures that were never meant to be attacker-controlled. NVD maps CVE-2025-49113 to CWE-502, which matches the public description of PHP object deserialization. (NVD)
In Roundcube’s case, the public record and patch point specifically to _from validation in the settings upload action. (NVD) The safe lesson is not “copy an exploit payload.” The safe lesson is that URL parameters used for UI routing, upload context, or session append operations need strong allowlists when their values later interact with internal keys, serialization-sensitive storage, or object-processing paths.
Why the patch is an allowlist, not a blacklist
The new is_simple_string() helper rejects anything outside a narrow character set. That is the right style of fix for this class of bug. A blacklist asks developers to predict every dangerous byte, delimiter, encoding trick, or serialization pattern. An allowlist asks a simpler question: what characters does this parameter actually need for legitimate behavior?
بالنسبة لـ _from in a settings upload path, legitimate values should be boring. A parameter that names a UI source, upload type, or settings context should not need quotes, braces, semicolons, null bytes, encoded object markers, path separators, or complex delimiters. The Roundcube patch’s regular expression allows alphanumeric and underscore-style word characters, dots, and dashes. (جيثب) That kind of check sharply reduces the chance that a value can be repurposed as structured data.
Security teams can reuse that design pattern in their own PHP applications:
function is_simple_string($input): bool
{
return is_string($input) && preg_match('/^[\w.-]+$/i', $input) === 1;
}
$from = $_GET['_from'] ?? '';
if (!is_simple_string($from)) {
http_response_code(400);
error_log('Rejected unsafe _from-like parameter');
exit('Invalid input');
}
This snippet is not a Roundcube exploit or a Roundcube patch. It is the defensive pattern the patch illustrates: validate the shape of a parameter before it reaches code that treats it as a key, context selector, session suffix, object field, or storage identifier.
A safe local PoC for the dangerous pattern
The following demonstration is intentionally not a CVE-2025-49113 exploit. It does not target Roundcube, does not reproduce the real vulnerable endpoint, does not include a weaponized payload, and should not be pointed at any live system. It is a local toy example that helps defenders understand the vulnerability class: untrusted request data crossing into a serialization-sensitive boundary without a strict allowlist.
Create a local file named unsafe_demo.php:
<?php
declare(strict_types=1);
/*
* Safe educational toy example.
* This does not exploit Roundcube and does not execute commands.
* It only demonstrates why complex attacker-controlled strings
* should not be allowed to influence serialization-sensitive keys.
*/
session_start();
$from = $_GET['from'] ?? 'profile';
// Dangerous pattern: user input becomes part of an internal session key.
$key = 'upload_context_' . $from;
$_SESSION[$key] = [
'created_at' => date('c'),
'purpose' => 'demo-only'
];
header('Content-Type: text/plain');
echo "Stored demo session key:\n";
echo $key . "\n\n";
echo "Why this is risky in real applications:\n";
echo "- The application treats a URL parameter as internal structure.\n";
echo "- Complex delimiters or encoded data may cross a trust boundary.\n";
echo "- If later code serializes, deserializes, appends, or parses this value,\n";
echo " the input can affect behavior far beyond simple routing.\n";
Now create safe_demo.php:
<?php
declare(strict_types=1);
/*
* Safe educational toy example.
* This mirrors the defensive idea of accepting only a simple string.
*/
session_start();
function is_simple_string($input): bool
{
return is_string($input) && preg_match('/^[\w.-]+$/i', $input) === 1;
}
$from = $_GET['from'] ?? 'profile';
if (!is_simple_string($from)) {
http_response_code(400);
error_log('Rejected non-simple input in demo from parameter');
echo "Invalid input\n";
exit;
}
$key = 'upload_context_' . $from;
$_SESSION[$key] = [
'created_at' => date('c'),
'purpose' => 'demo-only'
];
header('Content-Type: text/plain');
echo "Accepted safe demo session key:\n";
echo $key . "\n";
Run it only on localhost:
php -S 127.0.0.1:8080
Then test harmless values:
curl 'http://127.0.0.1:8080/unsafe_demo.php?from=settings-profile'
curl 'http://127.0.0.1:8080/safe_demo.php?from=settings-profile'
curl 'http://127.0.0.1:8080/safe_demo.php?from=not%20simple'
The point is not that the unsafe toy script is exploitable by itself. It is deliberately harmless. The point is that a real application may later pass the derived key or value into session append logic, object reconstruction, plugin hooks, upload handlers, cache storage, or serialization code. The safe demo blocks values that are not simple identifiers. That is the same defensive instinct visible in Roundcube’s patch: reject complex structure before it reaches a sensitive boundary. (جيثب)
Attack conditions and risk boundaries
| السيناريو | Risk level | ما أهمية ذلك |
|---|---|---|
| Public Roundcube, vulnerable version, no MFA | عالية جداً | A stolen mailbox password may be enough to reach the vulnerable authenticated path |
| Public Roundcube, vulnerable version, strong MFA | عالية | MFA reduces account compromise, but does not fix the server-side flaw |
| Internal-only Roundcube, vulnerable version | Medium to high | Risk shifts to VPN users, compromised endpoints, and internal attackers |
| Vendor-managed Roundcube with backported fix | Depends | Version string may look old, but package may be patched |
| Patched upstream Roundcube 1.5.10 or 1.6.11 | أقل | Specific CVE path should be fixed, but newer security updates may still matter |
| Current supported Roundcube version with access controls | أقل | Best practical posture, assuming logs and auth controls are healthy |
The presence of authentication changes how exploitation starts, not what the impact can be after the vulnerable code path is reached. That is why KEV status matters. CISA does not add a CVE to KEV merely because the CVSS score is high; the catalog is intended to track vulnerabilities with evidence of exploitation in the wild. The NVD KEV section for CVE-2025-49113 records the required action and due date. (NVD)
How to confirm whether an installation is affected
Start with inventory, not exploit code. Many Roundcube deployments are not installed from a neat upstream tarball. They may come through Debian packages, Ubuntu packages, hosting panels, Plesk, cPanel, DirectAdmin, iRedMail, HestiaCP, Docker images, custom vendor builds, or manually copied source trees. The fix source matters.
For Debian or Ubuntu-style packages:
dpkg -l | grep -i roundcube
apt-cache policy roundcube roundcube-core 2>/dev/null
For RPM-style systems:
rpm -qa | grep -i roundcube
For source deployments, check the installed application tree:
cd /var/www/roundcube 2>/dev/null || cd /usr/share/roundcube 2>/dev/null
grep -R "RCMAIL_VERSION" -n program/include/iniset.php
The Roundcube source tree defines RCMAIL_VERSION في program/include/iniset.php, so this is a practical way to identify the installed upstream application version when you have filesystem access. (جيثب)
For Debian specifically, the security tracker shows fixed package versions that do not always equal the upstream version number. For example, Debian’s tracker lists fixed package states across bullseye, bookworm, trixie, forky, and sid, and references Debian LTS and Debian Security Advisory fixes. (Debian Security Tracker) Debian’s LTS announcement says the issue was fixed for Debian 11 bullseye in 1.4.15+dfsg.1-1+deb11u5, even though the upstream fixed versions are 1.5.10 and 1.6.11. (Debian Mailing Lists)
That backport detail matters. If you use a distribution package, do not assume “version lower than 1.5.10” always means vulnerable. Distribution maintainers often backport security patches while keeping older upstream version numbers. The right question is: did your package maintainer ship the CVE-2025-49113 fix?
Plesk, hosting panels, and the version-string trap
Hosting control panels complicate Roundcube triage. Plesk’s advisory for CVE-2025-49113 says Roundcube versions lower than 1.5.10 and 1.6.11 are affected, but also states that Plesk backported the patch to 1.6.10 and 1.4.15 to deliver it quickly. Plesk instructs customers to install the latest Plesk updates and provides a build-number check for determining whether the patched Roundcube package is installed. (Plesk)
That creates two common mistakes:
First, a scanner may report a vulnerable upstream version because it sees “Roundcube 1.6.10.” If the vendor backported the fix, that may be a false positive unless the scanner checks vendor package build metadata.
Second, an administrator may dismiss the issue because the hosting panel auto-updates. That is risky unless the panel’s package status, micro-update level, and Roundcube build evidence confirm the specific CVE fix.
For managed hosting stacks, collect all three pieces of evidence:
# Package-level view
dpkg -l | grep -i roundcube || rpm -qa | grep -i roundcube
# Application tree view
grep -R "RCMAIL_VERSION" -n /usr/share/roundcube/program/include/iniset.php 2>/dev/null
# Panel update view, adapt to the panel used in your environment
plesk version 2>/dev/null
For an internal report, record the panel vendor, panel version, Roundcube package version, upstream Roundcube version if visible, and vendor advisory status. That evidence is stronger than a screenshot of the webmail login page.
Current patch guidance
The minimum upstream fix for CVE-2025-49113 is Roundcube 1.5.10 or 1.6.11. Roundcube’s June 2025 release announcement strongly recommended updating all production 1.6.x and 1.5.x installations. (Roundcube) The GitHub releases for 1.6.11 and 1.5.10 both describe the update as a security update fixing post-auth RCE via PHP object deserialization. (جيثب)
As of July 2026, however, defenders should not aim for “barely fixed” if they can avoid it. Roundcube published later security releases 1.6.17 and 1.7.2 on July 5, 2026, addressing additional vulnerabilities in the 1.6 LTS and 1.7 branches. (Roundcube) The Roundcube release page shows 1.7.2 and 1.6.17 as the latest security releases at that point. (Roundcube)
A sensible upgrade target depends on the deployment:
| Deployment state | الإجراء الموصى به |
|---|---|
| Upstream 1.6.x before 1.6.11 | Upgrade immediately, preferably to the latest supported 1.6.x security release or 1.7.x if compatible |
| Upstream 1.5.x before 1.5.10 | Upgrade immediately, and evaluate whether remaining on 1.5.x is still acceptable |
| Distribution-managed package | Apply the distribution security update and verify the package changelog or security tracker |
| Plesk-managed Roundcube | Apply latest Plesk updates and verify the patched build, not only the upstream-looking version |
| Custom source install | Replace with a patched upstream release after backing up config, plugins, database, and user data |
| Unknown install path | Treat as high priority until ownership, version, and patch source are proven |
Before upgrading, back up the application directory, configuration files, database, plugins, skins, and any custom patches. Roundcube’s own 1.6.11 and 1.5.10 release notes recommend backing up data before updating. (جيثب)
Temporary mitigations when patching is blocked
Patching is the correct fix. Temporary mitigations are useful only when a production constraint blocks immediate deployment. They should be time-boxed and tracked as compensating controls, not treated as closure.
Reasonable short-term controls include:
# Example only. Test carefully before production use.
# Prefer patching over relying on path blocking.
location ~* /program/actions/settings/upload\.php$ {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
}
If your Roundcube routing does not expose that filesystem path directly, the above rule may not match the real request path. In many deployments, application routing, webroot layout, panel integration, or rewrite rules change what the web server sees. Test against your actual access logs before assuming a path-level block works.
A WAF can also be used as a temporary guardrail to block suspicious _from values that contain characters outside the expected simple-string shape:
# Example ModSecurity-style concept.
# Test in detection mode first. Do not use as a substitute for patching.
SecRule ARGS:_from "!@rx ^[A-Za-z0-9_.-]+$" \
"id:4911301,phase:2,deny,status:403,msg:'Blocked non-simple Roundcube _from parameter'"
The rule mirrors the defensive idea in Roundcube’s patch, but it is not equivalent to the patch. It may miss alternate routes, encoded forms, panel-specific paths, or requests that never pass through the WAF in the expected way. It may also break custom plugins if they used unexpected _from values. Use it as a temporary reduction measure while the real fix is scheduled.
Other short-term controls are often more reliable:
# Restrict Roundcube to VPN or trusted networks at the reverse proxy.
# Disable public access during an emergency window if business allows.
# Force password resets for suspicious webmail users.
# Require MFA where the surrounding identity stack supports it.
# Disable stale mailbox accounts.
The uncomfortable truth is that a post-auth RCE in webmail is exactly the kind of bug where “we will patch next month” is too slow once KEV status exists.
Log sources that matter
Detection should focus on four layers: web requests, application logs, PHP runtime errors, and mailbox behavior.
Start with web access logs. The goal is not to publish exploit patterns. The goal is to find unusual access to settings upload behavior, especially values for _from that do not look like simple identifiers.
# Nginx or Apache access logs, adjust path names for your environment.
zgrep -hE '(_task=settings|_action=upload|_from=)' /var/log/nginx/access.log* /var/log/apache2/access.log* 2>/dev/null \
| sed -E 's/(password=)[^& ]+/\1REDACTED/g' \
| head -200
Look for requests where _from contains URL-encoded structural characters, unexpected delimiters, long values, binary-looking data, repeated requests after login, or unusual source IPs. Do not paste suspicious values into a browser or replay them against production.
Next, review PHP-FPM and web server error logs:
zgrep -hiE 'roundcube|upload.php|_from|unserialize|deserialize|session|fatal|invalid input' \
/var/log/php*-fpm.log* /var/log/nginx/error.log* /var/log/apache2/error.log* 2>/dev/null \
| tail -300
If your installation has the Roundcube patch, the new validation path can log an error similar in meaning to “The URL parameter _from contains disallowed characters and the request is thus rejected,” according to the patch diff. (جيثب) A post-patch spike in that message may indicate probing attempts or a broken plugin.
Roundcube application logs vary by configuration. Check the configured log directory and search for upload, settings, invalid input, and session-related errors:
find /var/log /usr/share/roundcube /var/www -type f 2>/dev/null \
| grep -Ei 'roundcube|errors|userlogins|sendmail' \
| head -100
Then review authentication and mailbox activity. A post-auth bug may begin with a normal-looking login. Relevant signals include:
# Mail authentication and IMAP/SMTP logs vary by stack.
zgrep -hiE 'imap-login|sasl|roundcube|auth|failed|login' /var/log/mail.log* /var/log/maillog* 2>/dev/null \
| tail -300
Look for impossible travel, new IP ranges, unusual User-Agents, mailbox users logging in immediately before suspicious _from requests, unexpected forwarding rules, new filters, sudden outbound mail volume, or IMAP downloads from unfamiliar clients. RCE risk does not erase the mailbox-compromise angle; the two often reinforce each other.
What a safe validation workflow looks like

A good validation workflow proves exposure without turning a production server into an exploit lab.
Start by identifying the asset owner and deployment path. Confirm whether Roundcube is directly installed, bundled by a hosting panel, provided by a Linux distribution, or containerized. Then determine the installed version and patch provenance. For upstream source installs, compare against 1.5.10 and 1.6.11. For distro and panel installs, use the vendor’s security advisory or package changelog.
Next, check whether the service is internet-facing. Censys showed in June 2025 that large numbers of Roundcube instances were exposed online, but also cautioned that identified Roundcube exposure was not the same thing as confirmed vulnerability. (سينسيس) Treat exposure as a prioritization factor, not as proof.
Then review logs for suspicious authenticated access. Do not run public exploit code on production. Public exploit availability can help risk prioritization, but using it casually can create data loss, shells, callbacks, or legal issues. For most organizations, the proof needed for remediation is version and patch evidence plus KEV status, not RCE.
In authorized testing environments, keep the proof minimal:
Evidence package:
1. Asset name and owner
2. Roundcube deployment source
3. Installed version or package build
4. Vendor advisory mapping
5. Patch status
6. Exposure status
7. Relevant log findings
8. Screenshot or command output showing fixed version
9. Retest timestamp
10. Residual risk and next action
For teams that run AI-assisted security workflows, the useful automation is not “fire exploit payloads at every webmail login.” The useful workflow is stateful evidence handling: preserving authenticated request context, correlating version evidence with vendor advisories, checking whether scanners are confused by backports, grouping logs around the same user session, and producing a report that separates confirmed exposure from assumptions. Penligent’s AI penetration testing platform at https://www.penligent.ai/ is relevant in that narrow sense: it can support authorized validation, evidence collection, and retesting workflows without turning a CVE triage task into a loose exploit run. A related Penligent article on bug bounty tooling also discusses CVE-2025-49113 as an example where state preservation and precise request handling matter more than unauthenticated broad scanning. (بنليجنت)
Patch verification without weaponized testing
After patching, do not stop at “the package manager completed successfully.” Verify the fix from several angles.
For upstream source deployments:
grep -R "function is_simple_string" -n /path/to/roundcube/program/lib/Roundcube/rcube_utils.php
grep -R "The URL parameter \"_from\" contains disallowed characters" -n /path/to/roundcube/program/actions/settings/upload.php
For package-managed deployments:
dpkg -l | grep -i roundcube
apt changelog roundcube 2>/dev/null | grep -i "49113\|deserialization\|security" -C 3
For Plesk-managed deployments, follow the Plesk advisory’s package-build verification approach rather than relying only on the Roundcube UI version string, because Plesk states it backported the fix to Roundcube 1.6.10 and 1.4.15 builds. (Plesk)
For the web tier, verify that old temporary WAF rules are either removed after patching or converted into safe hardening rules that do not break legitimate settings uploads. Leaving emergency rules in place forever often creates future operational bugs.
For identity, review the users who logged in during the vulnerable window. A server-side patch does not invalidate stolen passwords, malicious forwarding rules, OAuth tokens, or compromised mailbox sessions. If logs suggest suspicious access, rotate credentials, revoke sessions where possible, review forwarding/filter rules, and inspect outbound mail.
Detection logic and false positives
Version-based scanners will produce both true positives and false positives for CVE-2025-49113.
A true positive is likely when the scanner can prove an upstream vulnerable version, no vendor backport, and a reachable Roundcube service. A false positive is possible when a distribution or hosting panel backported the patch without changing the upstream-looking version string. Debian and Plesk both illustrate this issue in different ways: Debian fixed older package branches through distribution-specific package versions, and Plesk says it backported the fix to 1.6.10 and 1.4.15. (Debian Security Tracker)
A useful scanner result should include:
| Evidence type | Good evidence | Weak evidence |
|---|---|---|
| Version | Package build, upstream version, changelog, advisory mapping | Login page banner only |
| Patch | File diff, vendor security package, fixed function present | “Latest updates installed” without detail |
| Exposure | Confirmed reachable service under organization scope | Search-engine result from unknown date |
| Exploitability | Authorized lab validation or safe request-shape test | Public exploit run against production |
| Logs | Correlated auth, request, and application logs | Single unexplained HTTP request |
Do not treat a single scanner line as the full truth. CVE-2025-49113 requires context: how Roundcube was installed, whether a vendor backport exists, whether the service is exposed, whether accounts are protected, and whether there is evidence of suspicious authenticated access.
Related Roundcube vulnerabilities that change the risk picture
CVE-2025-49113 is server-side RCE after authentication. It should not be confused with Roundcube’s browser-side mail-rendering vulnerabilities, but those earlier bugs explain why attackers care about this software.
| مكافحة التطرف العنيف | Year | نوع الضعف | الزناد | Why it is relevant |
|---|---|---|---|---|
| CVE-2023-5631 | 2023 | Stored XSS in Roundcube | Victim views crafted email | ESET reported exploitation by Winter Vivern against European government-related targets |
| CVE-2024-42009 | 2024 | XSS through sanitized HTML post-processing | Victim views crafted email | Sonar described possible email theft, credential theft, and sending email as the victim |
| CVE-2024-42008 | 2024 | XSS in attachment serving | Attachment handling | Part of Roundcube’s August 2024 security update set |
| CVE-2024-42010 | 2024 | Information leak through insufficient CSS filtering | Malicious email content | Shows CSS and HTML sanitization remain important in webmail |
| CVE-2025-49113 | 2025 | Authenticated RCE through PHP object deserialization | Authenticated settings upload path | Server-side impact, later added to CISA KEV |
Roundcube’s August 2024 security update fixed CVE-2024-42009, CVE-2024-42008, and CVE-2024-42010, covering XSS and information leak issues in sanitized HTML, attachments, and CSS filtering. (Roundcube) Sonar’s technical write-up emphasized that webmail bugs can lead to email theft, contact theft, credential theft, and unauthorized sending when a crafted message executes script in the victim’s browser. (SonarSource) ESET’s Winter Vivern report showed that Roundcube XSS exploitation was not only theoretical. (We Live Security)
The reason to connect these CVEs is not to blur their mechanics. The reason is to understand the platform risk. Roundcube processes hostile email content, authenticated user actions, uploads, attachments, plugins, sessions, and server-side PHP state. That combination produces a broad attack surface. CVE-2025-49113 is especially severe because the public record moves beyond client-side session abuse into authenticated server-side code execution. (NVD)
Common mistakes during remediation
The first mistake is treating authentication as a sufficient mitigation. It is not. Authentication reduces who can reach the vulnerable path, but it does not change the impact once a mailbox account is compromised.
The second mistake is relying only on the visible Roundcube version. Vendor backports can make an old-looking version safe for this CVE, while custom source installs can make a seemingly updated deployment risky if files were not actually replaced. Use package metadata, changelogs, file checks, and vendor advisories.
The third mistake is running public exploit code as a test. Public PoCs often contain assumptions, callbacks, payloads, or side effects that are not suitable for production. A security team does not need to demonstrate arbitrary command execution on a live mail server to justify patching a KEV-listed RCE.
The fourth mistake is patching Roundcube but ignoring mailbox abuse. If an attacker had credentials before the patch, they may have created forwarding rules, downloaded mail, added filters, sent phishing, or used information inside the mailbox to attack other systems.
The fifth mistake is leaving the webmail surface unchanged after the emergency. Public webmail may be necessary, but it should be protected with MFA where possible, rate limiting, strong password policy, logging, alerting, and restricted admin paths. If Roundcube is only needed internally, do not leave it exposed to the entire internet.
Hardening beyond the patch
CVE-2025-49113 has a specific fix, but the broader defensive work is about reducing blast radius.
Limit PHP process permissions. The web server user should not have write access to application code directories. Upload directories should not execute PHP. Temporary directories should be separated from executable paths. Configuration files should be readable only by the processes that need them.
Review plugins. Roundcube plugins often extend settings, uploads, identity handling, password changes, and address book behavior. Disable unused plugins and keep active plugins updated. A patched core with an abandoned plugin is still a risky webmail stack.
Protect authentication. Enforce MFA at the surrounding identity layer if Roundcube itself is integrated into a broader SSO or panel environment. Rate-limit login attempts. Disable stale accounts. Monitor for new geographies, new devices, and unusual User-Agents.
Tune session security. Use secure cookies, HttpOnly, SameSite where compatible, HTTPS-only access, short idle timeouts for high-risk environments, and server-side session storage that is not shared with unrelated applications.
Reduce exposure. Put webmail behind VPN or conditional access when business allows. If public access is required, restrict administrative interfaces, add reverse-proxy logging, and centralize alerts.
Keep following Roundcube security releases. As of July 2026, Roundcube has continued shipping security updates after the 1.6.11 and 1.5.10 fixes, including 1.6.17 and 1.7.2. (Roundcube) Treat webmail as a living security maintenance responsibility, not as a one-time package installed during mail server setup.
Incident response checklist
If you discover a vulnerable Roundcube deployment, use a sequence that separates emergency containment from deeper investigation.
| المرحلة | الإجراء | Output |
|---|---|---|
| تحديد | Find all Roundcube instances and owners | Asset list |
| تحقق | Determine upstream, distro, or panel patch status | Evidence of affected or fixed state |
| Contain | Restrict public access if patching is delayed | Temporary risk reduction |
| Patch | Upgrade or apply vendor security update | Fixed package or source tree |
| Review logs | Check authenticated requests, _from anomalies, PHP errors | Suspicious activity timeline |
| Review accounts | Check mailbox logins, forwarding rules, filters, outbound spikes | Account abuse findings |
| Retest | Confirm fixed version or patch indicators | Closure evidence |
| Improve | Add monitoring, MFA, exposure limits, update process | Long-term control improvements |
The most important practical habit is to preserve evidence before logs rotate. Web access logs, PHP-FPM logs, Roundcube logs, mail auth logs, and panel update logs may sit in different locations. Collect them early, hash the exported files if you are doing formal incident response, and avoid replaying suspicious requests.
Safe commands for defenders
The following commands are safe inventory and log-review examples. They do not exploit the vulnerability and do not contact third-party targets.
# Find likely Roundcube paths.
find /var/www /usr/share /opt -maxdepth 4 -type f -path '*roundcube*iniset.php' 2>/dev/null
# Check version constant in source-style installs.
grep -R "RCMAIL_VERSION" -n /var/www /usr/share /opt 2>/dev/null | grep -i roundcube
# Check Debian or Ubuntu packages.
dpkg -l | grep -i roundcube
# Check RPM packages.
rpm -qa 2>/dev/null | grep -i roundcube
# Search web logs for settings upload indicators.
zgrep -hE '(_task=settings|_action=upload|_from=)' /var/log/nginx/access.log* /var/log/apache2/access.log* 2>/dev/null | tail -200
# Search error logs for deserialization or validation clues.
zgrep -hiE 'roundcube|_from|upload.php|unserialize|deserialize|invalid input|session' /var/log/*/*log* /var/log/*log* 2>/dev/null | tail -300
For production, redirect outputs into a case directory and redact credentials before sharing:
mkdir -p ~/roundcube-cve-2025-49113-review
zgrep -hE '(_task=settings|_action=upload|_from=)' /var/log/nginx/access.log* /var/log/apache2/access.log* 2>/dev/null \
| sed -E 's/(pass|password|_pass)=([^& ]+)/\1=REDACTED/gi' \
> ~/roundcube-cve-2025-49113-review/web-settings-upload-events.txt
A clean report should say what was checked, what was found, what remains unknown, and what action was taken. Avoid phrases like “not exploitable” unless you truly tested the exact deployment under authorization and can explain why. “Patched according to vendor package evidence” is usually more accurate.
الأسئلة الشائعة
Is CVE-2025-49113 unauthenticated?
- No. The public record describes it as exploitable by authenticated users.
- That still matters because webmail credentials are commonly stolen through phishing, reuse, IMAP exposure, and weak account hygiene.
- Once the attacker has a valid Roundcube session, the issue can become a server-side RCE risk on vulnerable versions. (NVD)
Which Roundcube versions are affected by CVE-2025-49113?
- Upstream Roundcube Webmail before 1.5.10 is affected.
- Upstream Roundcube Webmail 1.6.x before 1.6.11 is affected.
- GitHub’s reviewed advisory lists patched versions as 1.5.10 and 1.6.11. (جيثب)
- Distribution and hosting-panel builds may backport the fix, so package advisory status matters.
Has CVE-2025-49113 been exploited in the wild?
- CISA added CVE-2025-49113 to its Known Exploited Vulnerabilities catalog on February 20, 2026.
- The NVD page records CISA’s due date as March 13, 2026 and required action to apply vendor mitigations or discontinue use if mitigations are unavailable. (NVD)
- Earlier advisories from June 2025 may say exploitation was not confirmed at that time; that statement is outdated for current prioritization. (سينسيس)
How can I safely check whether my server is vulnerable?
- Do not run public exploit code against production.
- Identify how Roundcube was installed: upstream source, OS package, hosting panel, or container.
- Check the version, package changelog, vendor advisory, and presence of the validation patch.
- Review logs for suspicious authenticated requests involving settings upload behavior and unusual
_fromالقيم. - If you need exploitation-level validation, do it only in an isolated authorized lab.
Can a WAF rule fix CVE-2025-49113?
- A WAF rule can reduce risk temporarily by blocking non-simple
_fromالقيم. - It cannot reliably replace the Roundcube patch because routing, encoding, panel integration, and application behavior can differ.
- Use WAF controls as a time-limited compensating control while upgrading.
- The durable fix is to apply patched Roundcube or vendor-maintained packages.
What should Plesk users do?
- Install the latest Plesk updates and verify the patched Roundcube package state.
- Plesk says it backported the patch to Roundcube 1.6.10 and 1.4.15 builds, so do not rely only on the upstream-looking version string. (Plesk)
- Keep evidence of the Plesk update level, Roundcube package build, and advisory mapping for audit or customer communication.
Why is a webmail RCE more serious than many other authenticated bugs?
- Webmail often sits on the public internet.
- Mailbox credentials are frequently targeted and reused.
- Email contains password resets, internal files, customer data, and operational secrets.
- A post-auth RCE can turn a single compromised mailbox into a potential server compromise path.
- CISA KEV status means remediation should be treated as urgent, not routine. (NVD)
What should I check after patching?
- Confirm the fixed package or source version.
- Check that the validation patch exists or that the vendor advisory confirms a backport.
- Review access logs, PHP errors, authentication logs, forwarding rules, filters, and outbound email behavior.
- Rotate passwords or revoke sessions for accounts with suspicious access.
- Remove emergency WAF rules only after confirming they are no longer needed and are not hiding operational issues.
Closing judgment
CVE-2025-49113 is a good example of why vulnerability priority should combine code facts, deployment reality, and threat intelligence. The code fact is specific: unvalidated _from input in Roundcube’s settings upload path could lead to PHP object deserialization and authenticated RCE in affected versions. The deployment reality is that Roundcube often protects high-value email data and frequently appears on internet-facing webmail portals. The threat-intel fact is that CISA later added the bug to KEV.
The safest action is not complicated. Find every Roundcube instance, determine whether it is upstream, distribution-managed, or panel-managed, verify the fix through package or file evidence, upgrade to a supported security release, review authenticated access logs, and preserve a clean retest record. Treat public exploit code as a risk signal, not as a production test plan.

