⚠ Actively exploited
Added to CISA KEV on 2026-02-20. Federal agencies required to patch by 2026-03-13. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-49113Deserialization of Untrusted Data in Webmail

CWE-502Deserialization of Untrusted Data28 documents15 sources
Severity
8.8HIGHNVD
CNA9.9VulnCheck9.9
EPSS
91.2%
top 0.35%
CISA KEV
KEV
Added 2026-02-20
Due 2026-03-13
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Roundcube WebmailRoundcube RoundcubemailDebian Linux
Timeline
PublishedJun 2
KEV addedFeb 20
KEV dueMar 13
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5roundcube/webmail1.6.01.6.11+1
NVDroundcube/webmail1.6.01.6.11+1
Packagistroundcube/roundcubemail1.6.01.6.11+1

Also affects: Debian Linux 11.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
CVE-2025-49113: Roundcube Webmail before 12025-06-02
CVEList
CVE-2025-49113: Roundcube Webmail before 12025-06-02
OSV
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization2025-06-02
GHSA
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization2025-06-02
VulnCheck
RoundCube Webmail Deserialization of Untrusted Data Vulnerability2025

💥Exploits & PoCs

2
Exploit-DB
Roundcube 1.6.10 - Remote Code Execution (RCE)2025-06-13
Nuclei
Roundcube Webmail - Remote Code Execution

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Roundcube Post-Auth RCE via PHP Object Deserialization (CVE-2025-49113)2025-07-14

📋Vendor Advisories

4
CISA
RoundCube Webmail Deserialization of Untrusted Data Vulnerability2026-02-20
Ubuntu
Roundcube vulnerability2025-06-19
Red Hat
roundcubemail: Remote Code Execution in Roundcube via Unvalidated _from Parameter2025-06-02
Debian
CVE-2025-49113: roundcube - Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execu...2025

🕵️Threat Intelligence

13
Securelist
Exploits and vulnerabilities in Q2 20252025-08-27
Bleepingcomputer
Over 84,000 Roundcube instances vulnerable to actively exploited flaw2025-06-09
Bleepingcomputer
Hacker selling critical Roundcube webmail exploit as tech info disclosed2025-06-05
Trendmicro
Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit2025-01-09
Trendmicro
Information Stealer Pretends to be LDAPNightmare (CVE-2024-49113) PoC Exploit2025-01-09
CVE-2025-49113 — Deserialization of Untrusted Data | cvebase