Critical 10-Year-Old Roundcube Vulnerability Enables Remote Code Execution

A critical security vulnerability designated CVE-2025-49113 has been discovered in Roundcube Webmail, one of the world’s most widely deployed open-source email clients.

The vulnerability, uncovered by cybersecurity researcher Kirill Firsov, CEO of FearsOff, represents a post-authentication remote code execution (RCE) vulnerability that has remained undetected for nearly a decade, affecting millions of installations worldwide.

Kirill Firsov’s discovery of CVE-2025-49113 is being hailed as one of the most significant security findings in recent history, primarily due to its extensive reach and prolonged existence.

The vulnerability affects Roundcube Webmail versions spanning from 1.1.0 through the current version 1.6.10, representing nearly ten years of unpatched installations across the internet.

The scope of impact is staggering, with over 53 million hosts potentially vulnerable to exploitation. This massive exposure encompasses not only standalone Roundcube installations but also popular web hosting control panels that bundle the email client, including cPanel, Plesk, ISPConfig, and DirectAdmin.

These control panels are ubiquitous in the web hosting industry, meaning the vulnerability’s reach extends far beyond typical email users to include countless web hosting providers and their customers worldwide.

The post-authentication nature of the vulnerability means that attackers would need valid login credentials to exploit the vulnerability.

However, given the prevalence of credential attacks and the widespread use of Roundcube in corporate environments, this requirement may not significantly limit potential exploitation scenarios.

Roundcube Vulnerability

CVE-2025-49113 operates through a PHP object deserialization vulnerability, a class of security vulnerability that allows attackers to manipulate serialized data to execute arbitrary code on the target system.

Object deserialization vulnerabilities are particularly dangerous because they can lead to complete system compromise when successfully exploited.

The vulnerability’s persistence for nearly a decade without detection highlights the sophisticated nature of the vulnerability and potential gaps in security auditing processes for widely-used open-source software.

The affected version range from 1.1.0 to 1.6.10 encompasses virtually all modern Roundcube installations, as version 1.1.0 was released in 2014.

Web hosting providers and system administrators using popular control panel solutions face particular exposure, as these platforms often integrate Roundcube as their default webmail interface.

The vulnerability affects major hosting control panels including cPanel, which powers millions of websites globally, Plesk, ISPConfig, and DirectAdmin, creating a cascading effect where a single vulnerability impacts multiple layers of the hosting ecosystem.

Remediations

Roundcube developers have responded swiftly to the disclosure by releasing security updates addressing the vulnerability.

Safe versions include Roundcube 1.6.11 and 1.5.10 LTS, both containing fixes for the PHP object deserialization flaw reported by Firsov.

The security team has strongly recommended that all productive installations of Roundcube 1.6.x and 1.5.x be updated immediately to these patched versions.

The coordinated disclosure approach adopted by Firsov demonstrates responsible security research practices, as detailed proof-of-concept exploitation code and comprehensive technical details are being withheld temporarily to allow affected parties sufficient time to implement necessary patches and updates.

Organizations running affected versions should prioritize immediate updates, particularly those using integrated hosting control panels where Roundcube serves as the primary webmail interface for potentially thousands of users.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Critical 10-Year-Old Roundcube Vulnerability Enables Remote Code Execution appeared first on Cyber Security News.