Article Details
Scrape Timestamp (UTC): 2025-06-09 20:14:37.676
Original Article Text
Click to Toggle View
Over 84,000 Roundcube instances vulnerable to actively exploited flaw. Over 84,000 Roundcube webmail installations are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) flaw with a public exploit. The flaw, which impacts Roundcube versions 1.1.0 through 1.6.10, spanning over a decade, was patched on June 1, 2025, following its discovery and reporting by security researcher Kirill Firsov. The bug stems from unsanitized $_GET['_from'] input, enabling PHP object deserialization and session corruption when session keys begin with an exclamation mark. Shortly after the patch was released, hackers reverse-engineered it to develop a working exploit, which they sold on underground forums. Though the exploitation of CVE-2025-49113 requires authentication, attackers claim that valid credentials can be obtained via CSRF, log scraping, or brute-forced. Firsov shared technical details about the flaw on his blog to help defend against active exploitation attempts that are very likely to occur. Massive exposure Roundcube is widely used in shared hosting (GoDaddy, Hostinger, OVH) and government, education, and tech sectors, with over 1,200,000 instances visible online. Threat monitoring platform The Shadowserver Foundation reports that its internet scans return 84,925 Roundcube instances vulnerable to CVE-2025-49113 as of June 8, 2025. Most of these instances are in the United States (19,500), India (15,500), Germany (13,600), France (3,600), Canada (3,500), and the United Kingdom (2,400). Considering the high risk of exploitation and the potential for data theft, the exposure of those instances is a significant cybersecurity risk. System administrators are recommended to update to version 1.6.11 and 1.5.10, which address CVE-2025-49113, as soon as possible. It is unclear if the flaw is being leveraged in actual attacks and at what scale, but immediate action is advised nonetheless. If upgrading is impossible, it is recommended to restrict access to webmail, turn off file uploads, add CSRF protection, block risky PHP functions, and monitor for exploit indicators. Why IT teams are ditching manual patch management Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore. In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work -- no complex scripts required.
Daily Brief Summary
Over 84,000 Roundcube webmail installations are at risk due to the CVE-2025-49113 vulnerability, which enables critical remote code execution.
The flaw affects multiple versions of the Roundcube system, spanning from 1.1.0 to 1.6.10, and was recently patched as of June 1, 2025.
Attackers have reverse-engineered the patch to create an exploit now being sold on underground forums, even though exploiting the flaw requires user authentication.
Large-scale exposure of the vulnerability was reported, with the United States, India, and Germany having the highest number of vulnerable instances.
The vulnerability was first reported by security researcher Kirill Firsov, who also detailed prevention methods on his blog amid concerns of ongoing attacks.
Recommended immediate actions include updating to the latest Roundcube versions or implementing security measures like access restrictions and monitoring for signs of exploitation.