What is CVE-2025-49113?
CVE-2025-49113 is a post-authentication remote code execution risk in Roundcube Webmail caused by unsafe PHP object deserialization. Public reporting and advisory databases describe the root cause as insufficient validation of the _from URL parameter in program/actions/settings/upload.php, which can be abused to reach a PHP Object Deserialization condition. The issue is reachable after login (i.e., the attacker must be authenticated), but the resulting impact can be severe because code execution occurs in the context of the web application. Roundcube shipped fixes in the 1.5 LTS and 1.6 maintenance lines and strongly recommended upgrading production installations.
What is Affected By CVE-2025-49113?
Roundcube Webmail installations on vulnerable 1.5.x or 1.6.x versions are affected, particularly where the settings upload handler is exposed to authenticated users. The affected-version ranges are consistently documented across vendor announcements and vulnerability databases. The vulnerable code path is tied to settings upload handling (including cases where plugins use the same upload endpoint), so environments with many user accounts or less-trusted authenticated users should treat exposure as higher.
Affected versions (vendor/advisory consensus):
-
Roundcube Webmail < 1.5.10 (1.5 LTS line)
-
Roundcube Webmail 1.6.0–1.6.10 (i.e., 1.6.x < 1.6.11)
Mitigation and Remediation For CVE-2025-49113
The primary remediation is to upgrade Roundcube to a fixed release (or newer) and verify any downstream packaging also includes the fix. Roundcube’s security releases 1.5.10 and 1.6.11 include the patch for this issue, and advisory databases align on those patched versions. The upstream fix adds strict validation for the _from parameter (rejecting unexpected characters) and logs a rejection message, which also gives defenders a useful detection signal. In February 2026, the issue was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, which is typically used to prioritize urgent remediation.
Recommended actions:
-
Patch immediately: upgrade to Roundcube 1.5.10+ or 1.6.11+ (or any newer maintained release).
-
Validate the fix is present (especially if using distro/hosting packages): confirm the patched behavior rejects malformed
_frominput and that your installed version is at/above the fixed releases. -
Reduce risk from credential-driven exploitation: enforce MFA where possible, harden authentication, and apply rate limiting to reduce brute-force and credential stuffing (important because this is post-auth).
-
Add compensating controls until patching completes: restrict access to webmail (IP allowlisting/VPN), and monitor WAF/proxy logs for requests hitting settings upload endpoints with unusual
_fromvalues. -
Hunt and monitor: look for repeated settings upload activity and error logs indicating rejected
_frominput after patching (useful for spotting attempted abuse).
Impact of Successful Exploitation of CVE-2025-49113
If exploited, CVE-2025-49113 can enable authenticated attackers to execute code on the Roundcube server, turning a mailbox foothold into broader server compromise. Because exploitation occurs after login, real-world risk often hinges on how easily accounts can be obtained (phishing, password reuse, brute-force, or separate credential-theft paths). Security advisories describe the outcome as remote code execution, which can lead to full compromise of the webmail host depending on server permissions and environment hardening. The addition to the KEV catalog (February 2026) is a strong signal to prioritize remediation and incident review for exposed deployments.
Common consequences include:
-
Arbitrary code execution in the context of the web server / PHP runtime
-
Email data exposure (mailbox contents, address books, session data) and potential credential theft via server-side access
-
Persistence (e.g., webshell-like artifacts, scheduled tasks) if the attacker can write to web-accessible or executable locations
-
Lateral movement into adjacent infrastructure if the host has access to internal services, secrets, or shared storage
Proof of Concept for CVE-2025-49113
A safe “proof” for defenders is to validate the patch behavior—without attempting deserialization gadget chains or code execution. The upstream fix rejects non-simple _from values in the settings upload handler and emits an error message/log entry, so you can test for the presence of that guardrail using an authenticated session. This check is intended for defensive verification in a lab or authorized environment and should not be treated as an exploitation guide. Public technical writeups and exploit code exist, and multiple sources have warned about rapid weaponization after disclosure, so avoid exposing unpatched instances to the internet while testing.
Non-weaponized patch-check idea (authenticated, defensive): attempt an upload request where _from contains disallowed characters (e.g., square brackets). Patched systems should reject it with an invalid input response and log the rejection; vulnerable systems typically won’t enforce this validation.
# Defensive validation example (requires an authenticated session cookie).
# Goal: confirm patched versions REJECT malformed `_from` values.
#
# Replace:
# – $URL with your Roundcube base URL
# – $COOKIE with an authenticated cookie header (from your own test account)
# – ./test.png with a harmless local file
curl -i \
-H “Cookie: $COOKIE“ \
-F “_file=@./test.png;type=image/png;filename=test.png” \
“$URL/?_task=settings&_action=upload&_from=edit-identity%5Bbad%5D”
What to look for (defensive signals):
-
Patched behavior: request is rejected and the UI/API indicates invalid input; server logs may include a message that
_fromcontains disallowed characters. -
Vulnerable behavior: request is not rejected on input-validation grounds (this does not confirm exploitability by itself—it only indicates the guardrail is missing).
If you need deeper validation, use vendor-fixed versions (1.5.10+ / 1.6.11+) as your baseline and compare behavior in a controlled test environment.