Vulnerability-Lookup

CVE-2025-49113 (GCVE-0-2025-49113)

Vulnerability from cvelistv5 – Published: 2025-06-02 00:00 – Updated: 2026-02-21 04:56

Summary

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Severity ?

9.9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

mitre

References

URL

Tags

	https://roundcube.net/news/2025/06/01/security-up…
	https://github.com/roundcube/roundcubemail/pull/9865
	https://github.com/roundcube/roundcubemail/releas…
	https://github.com/roundcube/roundcubemail/commit…
	https://github.com/roundcube/roundcubemail/releas…
	https://github.com/roundcube/roundcubemail/commit…
	https://github.com/roundcube/roundcubemail/commit…
	https://fearsoff.org/research/roundcube
	https://www.vicarius.io/vsociety/posts/cve-2025-4…
	https://www.vicarius.io/vsociety/posts/cve-2025-4…

Impacted products

	Vendor	Product	Version
	Roundcube	Webmail	Affected: 0 , < 1.5.10 (semver) Affected: 1.6.0 , < 1.6.11 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49113",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-10T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-02-20",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-21T04:56:23.141Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-02-20T00:00:00.000Z",
            "value": "CVE-2025-49113 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-06-09T03:27:58.478Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/06/02/3"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Webmail",
          "vendor": "Roundcube",
          "versions": [
            {
              "lessThan": "1.5.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.6.11",
              "status": "affected",
              "version": "1.6.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.6.11",
                  "versionStartIncluding": "1.6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T16:09:32.854Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/pull/9865"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.11"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.10"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e"
        },
        {
          "url": "https://fearsoff.org/research/roundcube"
        },
        {
          "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection"
        },
        {
          "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-49113",
    "datePublished": "2025-06-02T00:00:00.000Z",
    "dateReserved": "2025-06-02T00:00:00.000Z",
    "dateUpdated": "2026-02-21T04:56:23.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-49113",
      "cwes": "[\"CWE-502\"]",
      "dateAdded": "2026-02-20",
      "dueDate": "2026-03-13",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 ; https://nvd.nist.gov/vuln/detail/CVE-2025-49113",
      "product": "Webmail",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.",
      "vendorProject": "Roundcube",
      "vulnerabilityName": "RoundCube Webmail Deserialization of Untrusted Data Vulnerability"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/06/02/3\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-06-09T03:27:58.478Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49113\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T20:05:40.853152Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-02-20\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113\"}}}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-02T16:57:10.487Z\"}, \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-20T00:00:00.000Z\", \"value\": \"CVE-2025-49113 added to CISA KEV\"}]}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 9.9, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"Roundcube\", \"product\": \"Webmail\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.5.10\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.6.0\", \"lessThan\": \"1.6.11\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10\"}, {\"url\": \"https://github.com/roundcube/roundcubemail/pull/9865\"}, {\"url\": \"https://github.com/roundcube/roundcubemail/releases/tag/1.6.11\"}, {\"url\": \"https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d\"}, {\"url\": \"https://github.com/roundcube/roundcubemail/releases/tag/1.5.10\"}, {\"url\": \"https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695\"}, {\"url\": \"https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e\"}, {\"url\": \"https://fearsoff.org/research/roundcube\"}, {\"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection\"}, {\"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.5.10\"}, {\"criteria\": \"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.6.11\", \"versionStartIncluding\": \"1.6.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-06-12T16:09:32.854Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-49113\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T23:20:24.017Z\", \"dateReserved\": \"2025-06-02T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-06-02T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CVE-2025-49113

Vulnerability from fstec - Published: 01.06.2025

Title

Уязвимость почтового клиента RoundCube Webmail, связанная с недостатками механизма десериализации при обработке параметра _from, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость почтового клиента RoundCube Webmail связана с недостатками механизма десериализации при обработке параметра _from. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код путем отправки специально сформированного запроса

Severity ?


                    
                      AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Vendor

ООО «Ред Софт», ООО «Юбитех», The RoundCube Team

Software Name

РЕД ОС (запись в едином реестре российских программ №3751), UBLinux (запись в едином реестре российских программ №6874), RoundCube Webmail

Software Version

7.3 (РЕД ОС), до 2405 (UBLinux), до 1.5.10 (RoundCube Webmail), до 1.6.11 (RoundCube Webmail)

Possible Mitigations

Установка обновлений из доверенных источников. В связи со сложившейся обстановкой и введенными санкциями против Российской Федерации рекомендуется устанавливать обновления программного обеспечения только после оценки всех сопутствующих рисков. Компенсирующие меры: - использование межсетевого экрана уровня приложений (WAF) для фильтрации сетевого трафика; - ограничение доступа недоверенных пользователей к программному обеспечению сторонними средствами защиты с использованием технологии белых\черных списков; - использование систем обнаружения и предотвращения вторжений для обнаружения (выявления, регистрации) и реагирования на попытки эксплуатации уязвимостей. Использование рекомендаций: https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 Для РЕД ОС: https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-roundcubemail-cve-2025-49113/?sphrase_id=1087878 Для UBLinux: https://security.ublinux.ru/CVE-2025-49113

Reference

https://fearsoff.org/research/roundcube http://www.openwall.com/lists/oss-security/2025/06/02/3 https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695 https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e https://github.com/roundcube/roundcubemail/pull/9865 https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 https://support.plesk.com/hc/en-us/articles/32537488344343-CVE-2025-49113-Vulnerability-in-Roundcube-on-Plesk-servers https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-roundcubemail-cve-2025-49113/?sphrase_id=1087878 https://t.me/c/1627154862/199874 https://security.ublinux.ru/CVE-2025-49113

CWE

CWE-502

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u041e\u041e\u041e \u00ab\u042e\u0431\u0438\u0442\u0435\u0445\u00bb, The RoundCube Team",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u0434\u043e 2405 (UBLinux), \u0434\u043e 1.5.10 (RoundCube Webmail), \u0434\u043e 1.6.11 (RoundCube Webmail)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0430 \u0443\u0440\u043e\u0432\u043d\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 (WAF) \u0434\u043b\u044f \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u0442\u0440\u0430\u0444\u0438\u043a\u0430;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043a \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0438\u043c\u0438 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\u043c\u0438 \u0437\u0430\u0449\u0438\u0442\u044b \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0438 \u0431\u0435\u043b\u044b\u0445\\\u0447\u0435\u0440\u043d\u044b\u0445 \u0441\u043f\u0438\u0441\u043a\u043e\u0432; \n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f (\u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f, \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438) \u0438 \u0440\u0435\u0430\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430 \u043f\u043e\u043f\u044b\u0442\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10\n\n\u0414\u043b\u044f \u0420\u0415\u0414 \u041e\u0421:\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-roundcubemail-cve-2025-49113/?sphrase_id=1087878\n\n\u0414\u043b\u044f UBLinux:\nhttps://security.ublinux.ru/CVE-2025-49113",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "01.06.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "23.09.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.06.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-06366",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-49113",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), UBLinux (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166874), RoundCube Webmail",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u042e\u0431\u0438\u0442\u0435\u0445\u00bb UBLinux \u0434\u043e 2405  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166874)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u043a\u043b\u0438\u0435\u043d\u0442\u0430 RoundCube Webmail, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 _from, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0412\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-502)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u043a\u043b\u0438\u0435\u043d\u0442\u0430 RoundCube Webmail \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 _from. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441\u0430",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://fearsoff.org/research/roundcube\nhttp://www.openwall.com/lists/oss-security/2025/06/02/3\t\nhttps://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d\t\nhttps://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695\t\nhttps://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e\t\nhttps://github.com/roundcube/roundcubemail/pull/9865\t\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.5.10\t\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.6.11\t\nhttps://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10\nhttps://support.plesk.com/hc/en-us/articles/32537488344343-CVE-2025-49113-Vulnerability-in-Roundcube-on-Plesk-servers\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-roundcubemail-cve-2025-49113/?sphrase_id=1087878\nhttps://t.me/c/1627154862/199874\nhttps://security.ublinux.ru/CVE-2025-49113",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-502",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,9)"
}

CERTFR-2025-AVI-0468

Vulnerability from certfr_avis - Published: 2025-06-02 - Updated: 2025-06-05

Une vulnérabilité a été découverte dans Roundcube Webmail. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Roundcube	Roundcube Webmail	Roundcube Webmail versions 1.5.x antérieures à 1.5.10
	Roundcube	Roundcube Webmail	Roundcube Webmail versions 1.6.x antérieures à 1.6.11

References

Title

Publication Time

Tags

Bulletin de sécurité Roundcube security-updates-1.6.11-and-1.5.10

2025-06-01

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Roundcube Webmail versions 1.5.x ant\u00e9rieures \u00e0 1.5.10",
      "product": {
        "name": "Roundcube Webmail",
        "vendor": {
          "name": "Roundcube",
          "scada": false
        }
      }
    },
    {
      "description": "Roundcube Webmail versions 1.6.x ant\u00e9rieures \u00e0 1.6.11",
      "product": {
        "name": "Roundcube Webmail",
        "vendor": {
          "name": "Roundcube",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-49113",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-49113"
    }
  ],
  "initial_release_date": "2025-06-02T00:00:00",
  "last_revision_date": "2025-06-05T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0468",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-06-02T00:00:00.000000"
    },
    {
      "description": "Ajout de la r\u00e9f\u00e9rence vers la CVE associ\u00e9e",
      "revision_date": "2025-06-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Roundcube Webmail. Elle permet \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.",
  "title": "Vuln\u00e9rabilit\u00e9 dans Roundcube",
  "vendor_advisories": [
    {
      "published_at": "2025-06-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Roundcube security-updates-1.6.11-and-1.5.10",
      "url": "https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10"
    }
  ]
}

CNVD-2025-12609

Vulnerability from cnvd - Published: 2025-06-16

Title

Roundcube Webmail反序列化漏洞

Description

RoundCube Webmail是一款基于浏览器的开源多语言IMAP客户端，采用PHP+Ajax开发，提供类似桌面应用程序的操作界面和完整的邮件管理功能‌。 Roundcube Webmail存在反序列化漏洞，该漏洞源于未对actions/settings/upload.php中的_from参数进行校验所致，攻击者可利用该漏洞导致PHP对象反序列化，进一步获取服务器权限。

Severity

高

Patch Name

Roundcube Webmail反序列化漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网： https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

Reference

http://www.openwall.com/lists/oss-security/2025/06/02/3

Impacted products

Name
['Roundcube webmail Roundcube Webmail <1.5.10', 'Roundcube webmail Roundcube Webmail >=1.6.* ，<1.6.11']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-49113",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-49113"
    }
  },
  "description": "RoundCube Webmail\u662f\u4e00\u6b3e\u57fa\u4e8e\u6d4f\u89c8\u5668\u7684\u5f00\u6e90\u591a\u8bed\u8a00IMAP\u5ba2\u6237\u7aef\uff0c\u91c7\u7528PHP+Ajax\u5f00\u53d1\uff0c\u63d0\u4f9b\u7c7b\u4f3c\u684c\u9762\u5e94\u7528\u7a0b\u5e8f\u7684\u64cd\u4f5c\u754c\u9762\u548c\u5b8c\u6574\u7684\u90ae\u4ef6\u7ba1\u7406\u529f\u80fd\u200c\u3002\n\nRoundcube Webmail\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u5bf9actions/settings/upload.php\u4e2d\u7684_from\u53c2\u6570\u8fdb\u884c\u6821\u9a8c\u6240\u81f4\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4PHP\u5bf9\u8c61\u53cd\u5e8f\u5217\u5316\uff0c\u8fdb\u4e00\u6b65\u83b7\u53d6\u670d\u52a1\u5668\u6743\u9650\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-12609",
  "openTime": "2025-06-16",
  "patchDescription": "RoundCube Webmail\u662f\u4e00\u6b3e\u57fa\u4e8e\u6d4f\u89c8\u5668\u7684\u5f00\u6e90\u591a\u8bed\u8a00IMAP\u5ba2\u6237\u7aef\uff0c\u91c7\u7528PHP+Ajax\u5f00\u53d1\uff0c\u63d0\u4f9b\u7c7b\u4f3c\u684c\u9762\u5e94\u7528\u7a0b\u5e8f\u7684\u64cd\u4f5c\u754c\u9762\u548c\u5b8c\u6574\u7684\u90ae\u4ef6\u7ba1\u7406\u529f\u80fd\u200c\u3002\r\n\r\nRoundcube Webmail\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u5bf9actions/settings/upload.php\u4e2d\u7684_from\u53c2\u6570\u8fdb\u884c\u6821\u9a8c\u6240\u81f4\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4PHP\u5bf9\u8c61\u53cd\u5e8f\u5217\u5316\uff0c\u8fdb\u4e00\u6b65\u83b7\u53d6\u670d\u52a1\u5668\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Roundcube Webmail\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Roundcube webmail Roundcube Webmail \u003c1.5.10",
      "Roundcube webmail Roundcube Webmail \u003e=1.6.* \uff0c\u003c1.6.11"
    ]
  },
  "referenceLink": "http://www.openwall.com/lists/oss-security/2025/06/02/3",
  "serverity": "\u9ad8",
  "submitTime": "2025-06-06",
  "title": "Roundcube Webmail\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e"
}

CERTFR-2025-ALE-008

Vulnerability from certfr_alerte - Published: 2025-06-05 - Updated: 2025-07-21

[Mise à jour du 06 juin 2025]
Une preuve de concept est publiquement disponible.

[Publication initiale]
Le 01 juin 2025, Roundcube a publié des correctifs concernant une vulnérabilité critique affectant son portail de messagerie ainsi que tous les produits l'incluant (par exemple cPanel et Plesk).

Cette vulnérabilité permet à un utilisateur authentifié d'exécuter du code arbitraire à distance.

L'éditeur ne mentionne pas d'identifiant CVE.

Des détails techniques sur cette vulnérabilité ont été publiés avec l'identifiant CVE-2025-49113. Le CERT-FR anticipe la disponibilité imminente de codes d'exploitation et recommande fortement de mettre à jour dans les plus brefs délais au vu du nombre important de produits exposés.

Solutions

Les versions correctives 1.5.10 et 1.6.11 ont été publiées par l'éditeur.

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Roundcube	Roundcube Webmail	Roundcube Webmail versions 1.6.x antérieures à 1.6.11
	Roundcube	Roundcube Webmail	Roundcube Webmail versions antérieures à 1.5.10

References

Title

Publication Time

Tags

Bulletin de sécurité Roundcube security-updates-1.6.11-and-1.5.10	2025-06-01	vendor-advisory
Avis CERT-FR CERTFR-2025-AVI-0468 du 02 juin 2025	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Roundcube Webmail versions 1.6.x ant\u00e9rieures \u00e0 1.6.11",
      "product": {
        "name": "Roundcube Webmail",
        "vendor": {
          "name": "Roundcube",
          "scada": false
        }
      }
    },
    {
      "description": "Roundcube Webmail versions ant\u00e9rieures \u00e0 1.5.10",
      "product": {
        "name": "Roundcube Webmail",
        "vendor": {
          "name": "Roundcube",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "closed_at": "2025-07-21",
  "content": "## Solutions\n\nLes versions correctives 1.5.10 et 1.6.11 ont \u00e9t\u00e9 publi\u00e9es par l\u0027\u00e9diteur.\n\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-49113",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-49113"
    }
  ],
  "initial_release_date": "2025-06-05T00:00:00",
  "last_revision_date": "2025-07-21T00:00:00",
  "links": [
    {
      "title": "Avis CERT-FR CERTFR-2025-AVI-0468 du 02 juin 2025",
      "url": "https://cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-0468/"
    }
  ],
  "reference": "CERTFR-2025-ALE-008",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-06-05T00:00:00.000000"
    },
    {
      "description": "Une preuve de concept est publiquement disponible.",
      "revision_date": "2025-06-06T00:00:00.000000"
    },
    {
      "description": "     Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2025-07-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "\u003cspan class=\"important-content\"\u003e\u003cb\u003e[Mise \u00e0 jour du 06 juin 2025]\u003c/b\u003e\u003c/span\u003e\u003c/br\u003e\nUne preuve de concept est publiquement disponible.\n\n[Publication initiale]\u003c/br\u003e\nLe 01 juin 2025, Roundcube a publi\u00e9 des correctifs concernant une vuln\u00e9rabilit\u00e9 critique affectant son portail de messagerie ainsi que tous les produits l\u0027incluant (par exemple cPanel et Plesk).\n\nCette vuln\u00e9rabilit\u00e9 permet \u00e0 un utilisateur authentifi\u00e9 d\u0027ex\u00e9cuter du code arbitraire \u00e0 distance.\n\nL\u0027\u00e9diteur ne mentionne pas d\u0027identifiant CVE.\n\nDes d\u00e9tails techniques sur cette vuln\u00e9rabilit\u00e9 ont \u00e9t\u00e9 publi\u00e9s avec l\u0027identifiant\u00a0CVE-2025-49113. Le CERT-FR anticipe la disponibilit\u00e9 imminente de codes d\u0027exploitation et recommande fortement de mettre \u00e0 jour dans les plus brefs d\u00e9lais au vu du nombre important de produits expos\u00e9s.",
  "title": "[M\u00e0J] Vuln\u00e9rabilit\u00e9 dans Roundcube",
  "vendor_advisories": [
    {
      "published_at": "2025-06-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Roundcube security-updates-1.6.11-and-1.5.10",
      "url": "https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10"
    }
  ]
}

FKIE_CVE-2025-49113

Vulnerability from fkie_nvd - Published: 2025-06-02 05:15 - Updated: 2026-02-23 13:24

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	https://fearsoff.org/research/roundcube	Third Party Advisory
cve@mitre.org	https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d	Patch
cve@mitre.org	https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695	Patch
cve@mitre.org	https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e	Patch
cve@mitre.org	https://github.com/roundcube/roundcubemail/pull/9865	Issue Tracking
cve@mitre.org	https://github.com/roundcube/roundcubemail/releases/tag/1.5.10	Release Notes
cve@mitre.org	https://github.com/roundcube/roundcubemail/releases/tag/1.6.11	Release Notes
cve@mitre.org	https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10	Vendor Advisory
cve@mitre.org	https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script	Exploit, Mitigation, Third Party Advisory
cve@mitre.org	https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection	Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/06/02/3	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html	Mailing List, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113	US Government Resource

Impacted products

Vendor	Product	Version
roundcube	webmail	*
roundcube	webmail	*
debian	debian_linux	11.0

JSON

To clipboard

{
  "cisaActionDue": "2026-03-13",
  "cisaExploitAdd": "2026-02-20",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "RoundCube Webmail Deserialization of Untrusted Data Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AAD2AF8E-DC67-45E3-ABC2-872B771C88C5",
              "versionEndExcluding": "1.5.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5DA16DB4-CE88-4E84-BBD6-2A749FFDA43D",
              "versionEndExcluding": "1.6.11",
              "versionStartIncluding": "1.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization."
    },
    {
      "lang": "es",
      "value": "Roundcube Webmail anterior a 1.5.10 y 1.6.x anterior a 1.6.11 permite la ejecuci\u00f3n remota de c\u00f3digo por parte de usuarios autenticados porque el par\u00e1metro _from en una URL no est\u00e1 validado en program/actions/settings/upload.php, lo que lleva a la deserializaci\u00f3n de objetos PHP."
    }
  ],
  "id": "CVE-2025-49113",
  "lastModified": "2026-02-23T13:24:21.387",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "cve@mitre.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-06-02T05:15:53.420",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://fearsoff.org/research/roundcube"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/roundcube/roundcubemail/pull/9865"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.10"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.11"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2025/06/02/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-8J8W-WWQC-X596

Vulnerability from github – Published: 2025-06-02 06:30 – Updated: 2026-02-20 21:48

Summary

Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Details

Severity ?

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "roundcube/roundcubemail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "roundcube/roundcubemail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-06T22:17:35Z",
    "nvd_published_at": "2025-06-02T05:15:53Z",
    "severity": "CRITICAL"
  },
  "details": "Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.",
  "id": "GHSA-8j8w-wwqc-x596",
  "modified": "2026-02-20T21:48:11Z",
  "published": "2025-06-02T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/pull/9865"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e"
    },
    {
      "type": "WEB",
      "url": "https://fearsoff.org/research/roundcube"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/roundcube/roundcubemail"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.11"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/06/02/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-49113 (GCVE-0-2025-49113)

CVE-2025-49113

CERTFR-2025-AVI-0468

Solutions

CNVD-2025-12609

CERTFR-2025-ALE-008

Solutions

FKIE_CVE-2025-49113

GHSA-8J8W-WWQC-X596

Tags

Sightings

Nomenclature