
A critical vulnerability has been discovered in the widely used Roundcube webmail client—one that had remained undetected for an entire decade. Cataloged as CVE-2025-49113, the flaw received the highest possible CVSS severity score of 9.9. The issue stems from a vulnerability that permits remote code execution after authentication, through the deserialization of crafted PHP objects.
All versions of Roundcube up to and including 1.5.10 and 1.6.10 are affected. The vulnerability arises from the absence of validation for the _from
parameter in requests to the upload.php
handler within the user preferences section. By supplying a specially crafted value, an attacker can trigger the deserialization of a malicious object, ultimately leading to arbitrary code execution on the server in the context of the web application.
The vulnerability was reported by Kirill Firsov, founder of the Dubai-based cybersecurity firm FearsOff. Firsov was responsible for identifying and analyzing the issue, and promptly alerted the developers to the need for a fix. Patches have since been released in versions 1.6.11 and the long-term support edition 1.5.10 LTS. FearsOff has pledged to release detailed technical documentation and a proof-of-concept exploit once a sufficient number of users have applied the updates.
The history of vulnerabilities in Roundcube reveals that it has long been a favored target of cyber-espionage actors. Previously, it was reported that groups such as APT28 and Winter Vivern actively exploited similar weaknesses. In 2024, Positive Technologies documented a phishing campaign that leveraged a separate Roundcube vulnerability (CVE-2024-37383) to steal user credentials.
More recently, ESET published findings showing that APT28 exploited XSS vulnerabilities in Roundcube, as well as in other webmail platforms including Horde, MDaemon, and Zimbra, to infiltrate the internal communications of governmental agencies and defense contractors in Eastern Europe. Such attacks become especially perilous when they succeed in breaching corporate infrastructure via vulnerabilities in user-facing components.
The discovery of such a dangerous flaw a full decade after its inception underscores the immense difficulty of achieving comprehensive security—even in mature and extensively vetted software. In an era where these tools are widely deployed across government entities, any delay in patching can have tangible and potentially severe consequences.