Hackers exploit critical Roundcube flaw enabling large-scale remote code execution

A critical vulnerability in the open-source Roundcube webmail client, tracked as CVE-2025-49113, allows remote code execution (RCE) for authenticated users. The flaw, rated 9.9 out of 10 in severity, impacts all versions from 1.1.0 to 1.6.10 and remained hidden in the codebase for more than a decade before a patch was issued on June 1, 2025.

Following the patch, attackers quickly reverse-engineered the update, producing a working exploit that appeared for sale on underground forums within days. This vulnerability arises from improper sanitization of the $_GET['_from'] HTTP parameter, making PHP object deserialization possible. The exploit can corrupt sessions when variable names begin with an exclamation mark, which ultimately enables object injection and code execution.

Although attackers need valid Roundcube credentials to use the exploit, credentials may be harvested using brute-force techniques, log access, or cross-site request forgery attacks. Roundcube's wide deployment in hosting environments like GoDaddy, Hostinger, Dreamhost, and OVH, as well as its inclusion in control panels such as cPanel and Plesk, contributes to an estimated 1.2 million exposed online instances. While Kirill Firsov of FearsOff initially discovered and disclosed the issue, ongoing exploitation accelerated the public release of technical information.