RoundCube RCE (CVE-2025-49113) Actively Exploited

Severity: Critical
Exploitation Status: Active
Affected Systems: RoundCube Webmail ≤1.6.9 (self-hosted)
Patch Available: Yes (≥1.6.10)
Recommended Action Window: Immediate (internet-facing) / 24h (internal)

Executive Summary (60-Second Read)

CVE-2025-49113 is an unauthenticated remote code execution vulnerability in RoundCube Webmail ≤1.6.9 caused by unsafe PHP object deserialization in the file upload handler. Active exploitation was confirmed within 24 hours of disclosure (Feb 18, 2026), with public PoCs accelerating mass scanning. CISA added it to KEV on Feb 21. Attackers can compromise exposed instances with a single crafted POST request, enabling web shell deployment, credential theft, or ransomware staging. Self-hosted RoundCube users — especially internet-facing — are at high risk. Patch immediately to ≥1.6.10 or apply mitigations. Disable uploads and restrict the endpoint if patching is delayed.

Why This Matters to IT Teams

Is this internet-exposed? Yes — most vulnerable RoundCube instances are public-facing.

Is scanning activity observed? Yes — GreyNoise and Shadowserver reported mass scans within 24 hours of PoC release.

Does this affect common SMB infrastructure? Yes — RoundCube is widely deployed in small businesses, schools, and non-profits — often on shared hosting, cPanel, or Plesk.

Can this lead to ransomware? Yes — web server compromise is a common ransomware initial access vector.

Can this enable credential theft or lateral movement? Yes — attackers can extract mail database credentials, deploy backdoors, and pivot internally.

Exposure Checklist

☐ Are you running RoundCube Webmail?
☐ Is your version below 1.6.10?
☐ Is the service publicly accessible over HTTP/HTTPS?
☐ Is the attachment upload feature enabled? (default)?
☐ Are web server or RoundCube logs monitored for suspicious upload activity?

If 2+ boxes are checked → elevated urgency. Treat as immediate priority.

Exploit Chain Overview

Initial Access Vector: Internet-facing RoundCube instance
Vulnerability Trigger: Crafted multipart POST to upload endpoint
Privilege Escalation: Deserialization executes code as web server user
Persistence: Web shell deployment
Data Exfiltration / Payload Execution: Credential theft, ransomware staging

This chain enables unauthenticated RCE in improperly segmented environments, reducing attacker effort to a single HTTP request.

Attack Flow

Initial Access: Attacker scans for exposed RoundCube instances on ports 80/443
No Authentication Required: Upload endpoint is unauthenticated by default
Code Execution: Deserialization executes attacker-controlled PHP code
Privilege Level: Code runs as web server user (often www-data)
Post-Exploitation: Web shell installed, credentials extracted, pivot possible

1. Vulnerability Overview

Root Cause

Unsafe PHP object deserialization in upload handler
No authentication enforced on /?_task=mail&_action=upload
No class allow-list or input sanitization for serialized metadata

Affected Systems

RoundCube Webmail ≤1.6.9 (self-hosted deployments)
Common on cPanel, Plesk, and manual Linux installs
Internet-facing instances with default configuration

Exposure Conditions

The vulnerability is exploitable when:

RoundCube is publicly accessible
File upload is enabled
No WAF blocks malicious multipart requests
PHP deserialization is unrestricted

2. Technical Breakdown

Root Cause Analysis

This vulnerability stems from:

Failure to enforce authentication on upload endpoint
Unsafe use of unserialize() on user-supplied data
Lack of strict class validation or __wakeup() restrictions

Simplified Exploit Logic

Attacker identifies exposed RoundCube instance
Crafts serialized PHP object with RCE payload
Sends multipart POST to upload endpoint
Server deserializes object → executes injected code

3. Risk Assessment for SMB / Mid-Size

Exploitability

Public PoC available
Does not require credentials
Works against default enterprise configurations

Impact Severity

Full remote code execution
Web shell deployment in seconds
Credential theft from mail database or config files
Ransomware staging possible

Likely Targets

Small-to-medium businesses using self-hosted webmail
Educational institutions and non-profits
Shared hosting customers
MSP-managed environments

4. Mitigation & Recommendations

Immediate Actions

Patch immediately to RoundCube ≥1.6.10
Restrict access to upload endpoint
Disable file upload if not required
Block unauthenticated external access temporarily

If You Cannot Patch Immediately

Restrict webmail access to VPN or IP allowlist
Block multipart POST requests to upload endpoint
Enable enhanced logging
Monitor for new .php files in web directories
Rotate stored mail/database credentials

Hardening Measures

Deploy WAF rules for multipart/form-data inspection
Segment webmail server from internal infrastructure
Enforce least privilege on web server user
Monitor outbound traffic from mail server

Monitoring Guidance

SOC / IT teams should monitor for:

POST requests to /?_task=mail&_action=upload
Serialized object patterns (O: indicators) in logs
New or modified .php files in web root
Unexpected outbound connections from web server
Creation of new admin or mail accounts

ByteVanguard Tactical Assessment

This vulnerability is highly exploitable in internet-facing environments and poses significant risk to unmanaged SMB deployments. The combination of unauthenticated RCE, rapid weaponization, and widespread exposure makes this a priority patch event. Organizations lacking centralized monitoring should treat exposed instances as potentially compromised until verified clean.

Patch Priority Recommendation

🔴 Patch Immediately (internet-exposed)

🟠 Patch Within 24–48h (internal only)

🟢 Schedule in next maintenance cycle (low exposure)

Infrastructure Impact Scope

Cloud hosted? Often patched faster
Shared hosting? High exposure (cPanel/Plesk)
On-prem only? Primary attack surface
Enterprise appliance? Lower risk if segmented

Strategic Outlook

This is part of a larger trend: legacy PHP deserialization flaws continue to enable rapid weaponization. Similar bugs in open-source webmail and upload handlers remain common blind spots in SMB and mid-size environments, especially when deployed via shared hosting or control panels.