Vulnerability Description CVE-2025-49113 is a critical vulnerability (CVSS 9.9) affecting Roundcube Webmail versions prior to 1.5.10 and 1.6.x prior to 1.6.11. It allows authenticated attackers to achieve remote code execution (RCE) due to improper input validation of the _from parameter in the program/actions/settings/upload.php endpoint, leading to PHP Object Deserialization. Example Exposed Roundcube Webmail Host Threat Activity While there is no confirmed evidence of CVE-2025-49113 being actively exploited at the time of writing, CERT Polska has observed exploitation attempts targeting a separate Roundcube vulnerability, CVE-2024-42009 , in ongoing spearphishing campaigns. Given that a public proof-of-concept (PoC) for CVE-2025-49113 is available, prompt patching is strongly advised. Field Details CVE-ID CVE-2025-49113 - CVSS 9.9 (Critical) - assigned by MITRE Vulnerability Description Authenticated RCE due to improper input validation of the _from parameter in program/actions/settings/upload.php Date of Disclosure June 1, 2025 Date Reported as Actively Exploited N/A Affected Assets program/actions/settings/upload.php of Roundcube Webmail fails to validate _from parameter Vulnerable Software Versions Roundcube Webmail versions prior to 1.5.10 and 1.6.x prior to 1.6.11. PoC Available? Public exploit code has been published on GitHub. Exploitation Status There is no evidence that this vulnerability is being actively exploited at the time of writing. Patch Status This vulnerability has been patched in versions 1.5.10 and 1.6.11 of Roundcube Webmail. Censys Perspective At the time of writing, Censys observed 2,473,116 exposed Roundcube Webmail instances online, nearly all of which are exposing version information. The versions in the table below were observed most frequently: Version Vulnerability Status Host Count 1.6.10 Vulnerable 1,376,414 1.4.11 Vulnerable 234,905 1.6.9 Vulnerable 208,074 1.4.15 Vulnerable 167,053 1.5.8 Vulnerable 96,080 1.4.8 Vulnerable 46,026 1.6.6 Vulnerable 43,949 1.6.4 Vulnerable 42,407 1.6.8 Vulnerable 42,403 1.6.7 Vulnerable 32,182 The queries below can be used to identify exposed instances of Roundcube Webmail, but they are not necessarily vulnerable to the exploit. Censys Platform Query: web.software: (vendor: "roundcube" and product: "webmail") Censys Legacy Search Query: services.software: (vendor="Roundcube" and product="Webmail") Censys ASM Query: host.services.software: (vendor="Roundcube" and product="Webmail") or web_entity.instances.software: (vendor="Roundcube" and product="Webmail") The query below can be used to find instances of Roundcube Webmail that are vulnerable to the exploit. Please note that this risk was recently deployed and results may take up to 24 hours to fully propagate. Censys ASM Risk Query: risks.name = "Vulnerable Roundcube [CVE-2025-49113]" Map of Exposed Roundcube Webmail Instances References CVE-2025-49113 NVD Advisory CVE-2024-42009 NVD Advisory CVE-2025-49113 POC Exploit Code UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign 1.5.10 Patch 1.6.11 Patch Back to resource hub