Cybersecurity researchers unnoticed for 10 years, uncovered, have revealed details of critical security flaws in RoundCube Webmail software that can be exploited to carry over the sensitivity system and execute arbitrary code.
Tracked vulnerabilities CVE-2025-49113carry a CVSS score of 9.9 out of 10.0. This is described as an example of prominent remote code execution via the descent of PHP objects.
“The round cube webmail before 1.5.10 and 1.6.x before 1.5.10 and 1.6.x allows remote code execution by authenticated users as the URL’s _FROM parameter is not verified in program/action/settings/upload.php, leading to deregistration of PHP objects,” reads a flaw description in Nist’s National Vulnerability Database (NVD).
The drawbacks that affect all versions of software, including 1.6.10, are addressed in 1.6.11 and 1.5.10 LTS. Kirill Firsov, founder and CEO of Fearsoff, is acknowledged to have discovered and reported the defect.
The Dubai-based cybersecurity company has simply recommended that it intends to “soon” the published technical details and “POCs) to give users plenty of time to apply the necessary patches.
https://www.youtube.com/watch?v=tbktbmjwhjy
The previously disclosed security vulnerabilities in the Round Cube were the favourable targets of nation-state threat actors such as APT28 and Winter Vivern. Last year, Positive Technology revealed that it attempted to exploit a flaw in the Round Cube (CVE-2024-37383) as part of a phishing attack designed to steal user credentials.
Then, a few weeks ago, ESET noted that APT28 exploited cross-site scripting (XSS) vulnerabilities on various webmail servers such as RoundCube, Horde, Mdaemon, and Zimbra to collect sensitive data from specific email accounts belonging to government entities and defense companies in Eastern Europe.
