https://fearsoff.org/research/roundcube
More than 84,000 Roundcube webmail installations worldwide remain vulnerable to CVE-2025-49113, a critical remote code execution flaw that affects versions spanning over a decade and has already been exploited by cybercriminals who developed working exploits shortly after the patch was released. The vulnerability, discovered by security researcher Kirill Firsov, impacts Roundcube versions 1.1.0 through 1.6.10 and was patched on June 1, 2025, but the slow adoption of security updates has left tens of thousands of instances exposed to active exploitation attempts.
The flaw stems from unsanitized input in the $_GET[‘_from’] parameter that enables PHP object deserialization and session corruption when session keys begin with an exclamation mark. While the vulnerability requires authentication to exploit, attackers have claimed they can obtain valid credentials through various methods including cross-site request forgery attacks, log scraping, or brute force attempts. The technical details of the vulnerability have been publicly disclosed, and hackers quickly reverse-engineered the patch to create exploits that are being sold on underground forums, significantly increasing the risk of widespread attacks.
According to The Shadowserver Foundation’s internet scanning data, the 84,925 vulnerable instances are distributed globally with the highest concentrations in the United States with 19,500 vulnerable installations, followed by India with 15,500, Germany with 13,600, France with 3,600, Canada with 3,500, and the United Kingdom with 2,400. The widespread deployment of Roundcube across shared hosting providers like GoDaddy, Hostinger, and OVH, as well as in government, education, and technology sectors, amplifies the potential impact of successful exploitation attempts.
System administrators are strongly urged to immediately update to patched versions 1.6.11 or 1.5.10 to address the vulnerability. For organizations unable to upgrade immediately, security experts recommend implementing temporary mitigation measures including restricting webmail access, disabling file uploads, adding cross-site request forgery protection, blocking risky PHP functions, and monitoring for indicators of exploitation attempts. The combination of public exploit availability, widespread vulnerable installations, and the critical nature of the flaw makes this a high-priority security issue requiring immediate attention from webmail administrators worldwide.