A critical security vulnerability has been discovered in the Roundcube webmail software that could allow authenticated attackers to execute arbitrary code. The flaw, tracked as CVE-2025-49113, has existed for over a decade and affects multiple versions before being fixed in updates 1.6.11 and 1.5.10 LTS. #Roundcube #CVE2025-49113
Keypoints
- A decade-long security flaw in Roundcube webmail software exposes systems to remote code execution.
- The vulnerability is due to insecure validation of the _from parameter in upload.php.
- It carries a high CVSS score of 9.9 out of 10.0, indicating critical severity.
- The flaw has been addressed in software versions 1.6.11 and 1.5.10 LTS.
- Past vulnerabilities in Roundcube have been exploited by nation-state threat actors like APT28 and Winter Vivern.
Read More: https://thehackernews.com/2025/06/critical-10-year-old-roundcube-webmail.html