Skip to main content
Bruno Menozzi aka Zeroc00i
Back to homepage

Roundcube RCE CVE-2025-49113

One minute to read

Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization | CVE-2025-48745

Kirill Firsov discovered a Post-authentication RCE in Roundcube Webmail (v1.1.0 till current 1.6.10) that has existed unnoticed for 10 years, and which affects over 53 Million hosts (and tools like cPanel, Plesk, ISPConfig, DirectAdmin, etc.).

POC is not available yet.

[+] https://fearsoff.org/research/roundcube

[Webpage: Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113] PoC demonstration -
]

gdoc_arrow_left_alt Roundcube CVE Technical Analysis SAP NetWeaver Critical RCE CVE-2025-31324 gdoc_arrow_right_alt