A critical remote code execution (RCE) vulnerability in Roundcube webmail, tracked as CVE-2025-49113, is exposing over 84,000 internet-facing servers to potential exploitation. Despite a security patch issued on June 1, 2025, the flaw continues to threaten large-scale deployments across hosting providers, government networks, and enterprise systems.
Vulnerability Originated from Unsafe Input Handling
The vulnerability affects Roundcube versions 1.1.0 through 1.6.10, dating back more than ten years. It was discovered by security researcher Kirill Firsov, who reported that the flaw stems from improper handling of the $_GET['_from'] parameter.
This input, when unsanitized, allows PHP object deserialization and subsequent session corruption. The vulnerability becomes exploitable when the session key starts with an exclamation mark. Though exploitation requires authenticated access, attackers have devised multiple ways to bypass that barrier.
As Firsov noted in his disclosure:
“This bug can be triggered post-authentication, but credentials can be harvested using CSRF, brute-force attacks, or log scraping from compromised systems.”
Public Exploit Already Circulating in Underground Markets
Soon after the patch was released, attackers reverse-engineered the update and developed a working exploit. This exploit was quickly advertised and sold on underground forums, accelerating the threat timeline.
Firsov published technical details on his blog to aid defenders in identifying and mitigating the flaw before widespread abuse could occur.
Nearly 85,000 Vulnerable Instances Found Online
According to data from The Shadowserver Foundation, as of June 8, 2025, at least 84,925 Roundcube instances remain vulnerable to CVE-2025-49113. These servers are exposed across multiple industries and geographies, including:
- United States: 19,500 instances
- India: 15,500
- Germany: 13,600
- France: 3,600
- Canada: 3,500
- United Kingdom: 2,400
Roundcube is commonly used in shared hosting environments such as GoDaddy, Hostinger, and OVH, as well as across government, education, and tech infrastructures. The widespread use significantly expands the potential impact surface for attackers leveraging this flaw.
Urgent Patch Available, but Many Systems Remain at Risk
The Roundcube development team released patched versions 1.6.11 and 1.5.10, which fully address CVE-2025-49113. However, many organizations have yet to apply the fix.
If immediate patching is not feasible, administrators are advised to:
- Restrict access to webmail portals
- Disable file uploads
- Implement CSRF protection
- Block risky PHP functions
- Monitor for known indicators of exploit attempts
Despite no confirmed mass exploitation campaigns so far, security experts view the flaw as high-risk, especially due to the authentication bypass techniques and availability of exploit code.
System administrators are strongly urged to prioritize patching or implement temporary mitigations to reduce exposure.
