Roundcube

Over 84,000 Roundcube webmail installations are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) flaw with a public exploit. The flaw, which impacts Roundcube versions 1.1.0 through 1.6.10, was patched on June 1, 2025. Hackers have reverse-engineered the patch to develop a working exploit, sold on underground forums. The vulnerability stems from unsanitized $_GET['_from'] input, enabling PHP object deserialization and session corruption. Although exploitation requires authentication, attackers claim valid credentials can be obtained via CSRF, log scraping, or brute-forcing. The high risk of exploitation and potential for data theft make the exposure of these instances a significant cybersecurity risk.

Source: https://www.bleepingcomputer.com/news/security/over-84-000-roundcube-instances-vulnerable-to-actively-exploited-flaw/

TPRM report: https://scoringcyber.rankiteo.com/company/roundcubedoo

"id": "rou300060925",
"linkid": "roundcubedoo",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology',
                        'location': ['United States',
                                     'India',
                                     'Germany',
                                     'France',
                                     'Canada',
                                     'United Kingdom'],
                        'name': 'Roundcube',
                        'type': 'Software'}],
 'attack_vector': "Unsanitized $_GET['_from'] input enabling PHP object "
                  'deserialization and session corruption',
 'date_detected': '2025-06-01',
 'date_publicly_disclosed': '2025-06-01',
 'description': 'Over 84,000 Roundcube webmail installations are vulnerable to '
                'CVE-2025-49113, a critical remote code execution (RCE) flaw '
                'with a public exploit.',
 'impact': {'systems_affected': ['Roundcube webmail installations']},
 'initial_access_broker': {'entry_point': "Unsanitized $_GET['_from'] input"},
 'motivation': 'Data theft',
 'post_incident_analysis': {'root_causes': "Unsanitized $_GET['_from'] input "
                                           'enabling PHP object '
                                           'deserialization and session '
                                           'corruption'},
 'recommendations': ['Update to version 1.6.11 and 1.5.10',
                     'Restrict access to webmail',
                     'Turn off file uploads',
                     'Add CSRF protection',
                     'Block risky PHP functions',
                     'Monitor for exploit indicators'],
 'references': [{'date_accessed': '2025-06-08',
                 'source': 'The Shadowserver Foundation'}],
 'response': {'containment_measures': ['Update to version 1.6.11 and 1.5.10',
                                       'Restrict access to webmail',
                                       'Turn off file uploads',
                                       'Add CSRF protection',
                                       'Block risky PHP functions',
                                       'Monitor for exploit indicators']},
 'threat_actor': 'Unknown hackers',
 'title': 'Critical RCE Flaw in Roundcube Webmail (CVE-2025-49113)',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2025-49113'}