A critical vulnerability has been identified in Future versions of Roundcube Webmail, affecting all versions 1.5.x and 1.6.x prior to 1.5.10 and 1.6.11, enabling remote code execution through deserialization flaws. Attackers with valid credentials can exploit this flaw to execute arbitrary commands, emphasizing the importance of updating to patched versions. #RoundcubeVulnerability #PHPDeserialization
Keypoints
- The recent security flaw affects Roundcube versions 1.5.x and 1.6.x before certain updates.
- The vulnerability allows remote code execution through insecure deserialization in upload.php.
- Attackers with valid login credentials can exploit the flaw to execute arbitrary commands.
- An exploit code, including a proof of concept, has been published on GitHub for demonstration.
- Users are advised to update to patched versions or temporarily block upload.php to mitigate risk.
Read More: https://infosecwriteups.com/roundcube-cve-2025-49113-22ec9ac88bce?source=rss—-7b722bfd1b8d—4