Critical 10-Year Vulnerability in Roundcube Webmail Allows Code Execution by Authenticated Users

On June 3, 2025, cybersecurity researchers revealed a significant security flaw in Roundcube webmail software, active for a decade, that could enable authenticated users to execute malicious code on vulnerable systems. Classified as CVE-2025-49113, the vulnerability has a CVSS score of 9.9 out of 10, highlighting its severity. It involves post-authentication remote code execution through PHP object deserialization. According to the National Vulnerability Database (NVD), “Roundcube Webmail versions before 1.5.10 and 1.6.x prior to 1.6.11 allow authenticated users to execute remote code due to the lack of validation for the _from parameter in the URL in program/actions/settings/upload.php.” This flaw affects all versions up to and including 1.6.10 but has been patched in versions 1.6.11 and 1.5.10 LTS. The vulnerability was discovered and reported by Kirill Firsov, founder and CEO of FearsOff.

Critical Vulnerability in Roundcube Webmail Exposes Systems to Remote Code Execution

On June 3, 2025, cybersecurity researchers revealed a significant security vulnerability in the Roundcube webmail software, a flaw that has remained undetected for a decade. This vulnerability has the potential to be exploited by authenticated users, compromising affected systems and allowing for the execution of arbitrary code. The security issue, identified as CVE-2025-49113, has been assigned an alarming CVSS score of 9.9 out of 10.0, underscoring its severity.

The vulnerability arises from a lack of validation for the “_from” parameter in a specific URL within the program’s upload settings file, actions/settings/upload.php. This oversight facilitates post-authentication remote code execution through PHP object deserialization, making it particularly concerning as it can be triggered by users who are already authenticated within the system. The flaw affects all versions of Roundcube prior to and including 1.6.10, and it has been rectified in versions 1.6.11 and 1.5.10 LTS.

The implications of such a vulnerability are vast, as any authenticated user could potentially manipulate the underlying systems for malicious purposes. Kirill Firsov, founder and CEO of FearsOff, is credited with discovering this critical flaw, prompting the urgent need for organizations using Roundcube to update their software to secure their environments.

The targeted audience primarily includes organizations that rely on Roundcube for their webmail solutions. While specific organizations are not disclosed, the vulnerability poses risks to any business utilizing this software, and its implications extend across sectors where digital communication is essential.

In terms of potential attack vectors, the MITRE ATT&CK framework provides insights into the tactics that adversaries may exploit in such scenarios. Initial access could be gained through valid credentials, leveraging the authenticated state to execute arbitrary code. Persistence might be established if the vulnerability were used to implant additional malicious payloads or scripts within the compromised environment. Such actions could further escalate privileges and allow attackers to maintain a foothold within the affected systems.

Organizations are urged to review their Roundcube installations critically and ensure that they are operating on the latest secure versions. With cyber threats continually evolving, maintaining updated software and understanding the vulnerabilities inherent in widely-used applications like Roundcube is paramount for safeguarding sensitive information and maintaining operational integrity in today’s digital landscape.

Source link

Related Posts

Urgent Chrome Zero-Day Vulnerability Being Actively Exploited; Google Releases Emergency Patch

June 3, 2025
Browser Security / Vulnerability

On Monday, Google announced emergency fixes for three security vulnerabilities in its Chrome browser, including a critical flaw currently being exploited in the wild. This high-severity issue, tracked as CVE-2025-5419 (CVSS score: 8.8), pertains to an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. According to the National Vulnerability Database (NVD), “Out-of-bounds read and write in V8 in Google Chrome prior to version 137.0.7151.68 allowed remote attackers to potentially exploit heap corruption via a specially crafted HTML page.” The flaw was identified and reported by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG) on May 27, 2025, and was promptly addressed the following day with a configuration update to the Stable version of Chrome across all platforms. As is typical, the advisory provides limited details concerning the…

HPE Releases Security Patch for StoreOnce Vulnerability Allowing Remote Authentication Bypass

June 04, 2025
Vulnerability / DevOps

Hewlett Packard Enterprise (HPE) has issued security updates to address up to eight vulnerabilities in its StoreOnce data backup and deduplication software, which could lead to remote authentication bypass and remote code execution. HPE’s advisory states, “These vulnerabilities could be remotely exploited, enabling remote code execution, information disclosure, server-side request forgery, authentication bypass, arbitrary file deletion, and directory traversal.” Among them is a critical flaw identified as CVE-2025-37093, rated 9.8 on the CVSS scale, which affects all software versions prior to 4.3.11. The vendor was notified of the vulnerability on October 31, 2024. Acknowledging an anonymous researcher for the discovery, the Zero Day Initiative (ZDI) shared insights on the issue…

Critical Cisco ISE Authentication Bypass Vulnerability Threatens Cloud Environments on AWS, Azure, and OCI

June 5, 2025
Network Security / Vulnerability

Cisco has issued security patches for a severe vulnerability affecting its Identity Services Engine (ISE). This flaw, identified as CVE-2025-20286 and rated 9.9 out of 10 on the CVSS scale, could be exploited by unauthenticated attackers to perform harmful actions on vulnerable systems. The vulnerability, categorized as a static credential issue, affects cloud deployments on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco warned that attackers could potentially access sensitive data, perform limited administrative tasks, alter system configurations, or disrupt services in the affected environments. The networking company credited Kentaro Kawane from GMO Cybersecurity for reporting the flaw and acknowledged the presence of a proof-of-concept (PoC) exploit, although no active exploitation has been confirmed.

Two Separate Botnets Target Wazuh Server Vulnerability for Mirai-Based Attacks

June 09, 2025
Wazuh Server Vulnerability

A critical security flaw in the Wazuh Server, now patched, has been exploited by threat actors to deploy two distinct variants of the Mirai botnet for executing distributed denial-of-service (DDoS) attacks. Akamai, which identified these exploitation efforts in late March 2025, reports that the campaign is targeting CVE-2025-24016 (CVSS score: 9.9), a dangerous deserialization vulnerability enabling remote code execution on affected Wazuh servers. This vulnerability impacts all server software versions from 4.4.0 onward and was addressed in February 2025 with the release of version 4.9.1. A proof-of-concept (PoC) exploit became publicly available around the same time. The issue stems from the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and then deserialized using “as_wazuh_object” in the framework/wazuh/core/cluster/common.py file. Malicious actors can exploit this vulnerability by injecting harmful JSON…