Severe RCE Vulnerability in Roundcube Servers

Information Security Media Group provides weekly summaries of notable cybersecurity incidents. Recent reports highlight a critical vulnerability affecting over 84,000 Roundcube servers, a breach of a Mexican education platform compromising student data, and the efforts of Dutch authorities to address cybercrime. A federal judge in the U.S. has sentenced a Nigerian hacker involved in identity theft schemes, while Marks & Spencer resumes limited online orders after a cyberattack. In related developments, the UK’s financial regulator has disciplined employees for mishandling sensitive data, and issues surrounding SinoTrack GPS devices have come to light during Microsoft’s Patch Tuesday announcements.

Critical RCE Flaw in Over 84,000 Roundcube Servers

Recent findings have revealed that more than 84,000 Roundcube webmail servers are vulnerable to CVE-2025-49113, a significant remote code execution vulnerability. This flaw impacts versions 1.1.0 to 1.6.10 of Roundcube, which have been deployed for over a decade. The vulnerability is rooted in improperly sanitized input that allows for PHP object deserialization and potential session corruption.

The vulnerability was disclosed by security researcher Kirill Firsov, who also provided detailed information on how to exploit it. Although the flaw requires authentication to gain access, attackers may utilize methods such as cross-site request forgery, brute-force attacks, or log scraping to obtain the necessary credentials. Subsequent to the patch release, an exploit was developed and marketed on cybercrime forums.

Roundcube is widely employed across shared hosting services like GoDaddy and educational and governmental institutions. Scans conducted by Shadowserver reported nearly 85,000 online instances of this vulnerability, primarily based in the United States, India, Germany, France, Canada, and the United Kingdom.

A recent cyber breach has brought to light vulnerabilities within an educational cloud platform serving schools across Mexico, compromising personal data of over one million students. As reported by the online publication Publimetro, the platform, known as Servoescolar, caters to approximately 1,600 educational institutions.

Attackers gained unauthorized access to login information and sensitive personal details, sparking concerns over identity theft and data misuse. The leaked data reportedly includes identifying details and academic records. Authorities are still assessing the full scale of the breach, indicating that the attackers may have had prolonged access prior to detection.

The Dutch National Police have initiated actions against 126 individuals linked to the Cracked cybercrime marketplace, following a global operation dubbed “Operation Talent” that aimed to disrupt illicit online activities. Identifying users from the Netherlands, who average 20 years of age, police have engaged with these individuals through personalized communication and in-person dialogues, emphasizing the implications of their cyber activities.

This approach reflects ongoing concerns regarding youth involvement in cybercrime, as law enforcement aims to highlight the potential long-term impacts of a criminal record, which can severely limit future employment opportunities.

A U.S. federal judge has sentenced Nigerian citizen Kingsley Uchelue Utulu to 63 months in prison for participating in a cybercrime operation that targeted American tax preparation firms. The group used spear-phishing techniques to infiltrate systems and access sensitive customer data to file fraudulent tax returns, claiming over $8.4 million in refunds.

Utulu’s sentencing includes restitution of $3.68 million. The operation’s structure and tactics illustrate the evolving nature of cyber fraud, necessitating ongoing attention to robust cybersecurity measures in financial services.

British retailer Marks & Spencer has begun to accept limited online orders for select fashion products after recovering from a significant cyberattack that occurred in April. The breach, linked to DragonForce ransomware, resulted in the exposure of customer data, forcing the retailer to reevaluate its cybersecurity frameworks.

Despite estimating a potential $404.7 million hit to operating profits for the coming fiscal year, M&S is working to recover through insurance claims and cost-saving strategies. This incident, among several recent ransomware attacks against retailers in the UK, serves as a stark reminder of the urgent need for enhanced security measures.

United Natural Foods, the primary distributor for Whole Foods, has resumed limited shipping operations following a cyberattack that interrupted its systems. CEO James Douglas indicated ongoing disruptions in their ability to fulfill and distribute orders across its extensive network of over 30,000 locations.

Internal communications reveal that employee shortages are already impacting product availability at Whole Foods stores, leading to a careful management of customer interactions regarding the incident. Douglas emphasized the company’s commitment to enhancing security protocols in light of this attack.

The UK’s Financial Conduct Authority has taken disciplinary action against four employees for violating internal policies concerning the handling of sensitive data, having sent confidential information to personal email addresses. The regulatory body emphasized the seriousness of these violations and the importance of adhering to protocols designed to protect information security.

This incident has raised awareness about the potential vulnerabilities inherent in data management practices across financial institutions, signaling a need for rigorous training and monitoring protocols to prevent future breaches.

The U.S. Cybersecurity and Infrastructure Security Agency has flagged security risks associated with SinoTrack GPS trackers, citing vulnerabilities allowing unauthorized access to user locations and control over connected vehicles. These devices, integral to fleet management and security applications, lack essential security patches, raising alarms around the implications for user safety and data privacy.

Given the widespread use of such technology, stakeholders must prioritize security assessments and proper configuration to mitigate potential exploits, underscoring an ongoing challenge in protecting IoT devices from cyber threats.

This month’s Patch Tuesday from Microsoft addresses a total of 66 vulnerabilities, including two critical zero-day exposures. Among these, one vulnerability allows for remote code execution within the Windows Web Distributed Authoring and Versioning (WebDAV). Discovered as part of a malicious campaign, this flaw emphasizes the importance of timely updates and vigilance in patch management.

The second zero-day linked to Windows SMB clients allows for privilege escalation through a crafted script. Microsoft strongly recommends immediate application of the updates to protect affected systems from malicious actors who might exploit these vulnerabilities.

Additional Reporting from Last Week

Contributions to this report came from Information Security Media Group’s Mathew Schwartz in Scotland and David Perera in Northern Virginia.