Full Report
Vulnerability impacting Roundcube Webmail – CVE-2025-49113 – Update 1
Analysis Summary
# Vulnerability: Post-Auth RCE in Roundcube Webmail
## CVE Details
- **CVE ID:** CVE-2025-49113 (Primary), CVE-2024-42009 (Related credential theft)
- **CVSS Score:** Critical (Numerical score not specified in text, but listed as "Critical")
- **CWE:** PHP Object Deserialization
## Affected Systems
- **Products:** Roundcube Webmail
- **Versions:**
- Versions prior to 1.5.10
- Versions prior to 1.6.11
- **Configurations:** Systems where an attacker can obtain valid credentials (often via chaining CVE-2024-42009).
## Vulnerability Description
CVE-2025-49113 is a Post-Authentication Remote Code Execution (RCE) vulnerability stemming from insecure PHP Object Deserialization. An authenticated attacker can leverage this flaw to execute arbitrary code on the underlying server. Notably, this is often chained with CVE-2024-42009, which allows attackers to steal the valid user credentials required to reach the vulnerable post-auth state.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV on February 20, 2026; PoC available)
- **Complexity:** Low (Given the availability of a PoC and active exploitation)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full server access/data theft)
- **Integrity:** High (Ability to modify webmail data and system files)
- **Availability:** High (Potential for full system takeover or service disruption)
## Remediation
### Patches
The Cyber Centre recommends upgrading to the following versions to ensure full mitigation of both CVEs:
- **Roundcube Webmail 1.6.17**
- **Roundcube Webmail 1.7.2**
*(Minimum security versions: 1.5.10 or 1.6.11)*
### Workarounds
- Implement strict rate-limiting to prevent brute-force credential harvesting.
- Use multi-factor authentication (MFA) to mitigate the impact of stolen credentials.
## Detection
- **Indicators of Compromise:** Monitor for unusual PHP execution patterns or suspicious files in the webroot. Review logs for exploitation of CVE-2024-42009 (credential theft attempts).
- **Detection methods and tools:** Monitor for brute-force login attempts and review CISA KEV entries for updated behavioral markers.
## References
- Roundcube Security Bulletin: hxxps[://]roundcube[.]net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
- CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- Canadian Centre for Cyber Security Alert: AL25-007
- NVD Detail: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2025-49113