# Roundcube Webmail Under Fire: Critical Exploit Found After a Decade
A critical flaw in the popular webmail platform, Roundcube, has been uncovered, leaving users and organizations at significant risk. The vulnerability, tracked as CVE-2025-49113 (CVSS score of 9.9), has gone undetected for over a decade and allows attackers to take control of affected systems and execute arbitrary code.
**The Discovery**
Kirill Firsov, founder and CEO of FearsOff, discovered the critical flaw in Roundcube webmail. "Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization," reads the advisory published by NIST.
In simpler terms, the vulnerability lies in the way Roundcube handles user input from URLs, allowing attackers to inject malicious PHP code that can be executed on the server. This allows an attacker to take control of the system and run arbitrary commands.
**The Impact**
Firsov estimates that the flaw impacts over 53 million hosts, including popular web hosting platforms like cPanel, Plesk, ISPConfig, DirectAdmin, and others. The vulnerability has significant implications for organizations that rely on Roundcube as their webmail platform.
"Details and Proof of Concept (PoC) will be published soon," Firsov warned. Researchers at Positive Technologies have already reproduced CVE-2025-49113 in Roundcube, further confirming the severity of the vulnerability.
**The Threat Landscape**
Roundcube has been repeatedly targeted by advanced threat groups like APT28 and Winter Vivern in the past. Attackers have exploited vulnerabilities in the platform to steal login credentials and spy on sensitive communications.
These campaigns demonstrate how unpatched systems remain a serious risk, especially for high-value targets. The discovery of this critical flaw serves as a reminder that even seemingly secure platforms can be vulnerable to attack if not properly maintained and updated.
**What You Can Do**
Experts urge users to update to the latest version of Roundcube immediately to patch the vulnerability. Don't wait – the longer you delay, the more time attackers have to exploit the flaw.
Stay safe online by staying informed about the latest security threats and vulnerabilities. Follow us on Twitter (@securityaffairs), Facebook, and Mastodon for the latest updates and news from the world of cybersecurity.