CVE-2025-49113# CVE‑2025‑49113 – Post‑Auth Remote Code Execution in Roundcube via PHP Object Deserialization 🚨
# 🔔 Description:
Roundcube Webmail before `1.5.10` and `1.6.x` before `1.6.11` allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
# 👾 Metrics:
+ CVE ID: CVE-2025-49113
+ Severity: Critical
+ CVSS Score: 9.9 ⚫ (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
+ EPSS Score: 0.00661
+ EPSS Percentile: %70 (Likely to be exploited)
+ Published: June 1, 2025
+ Affected Versions: All versions prior to 1.5.10, 1.6.11
+ Patched Versions: `1.5.10`, `1.6.11`
# 🐳 Quick Installation (via Docker):
This will install Ubuntu `24.04`, Roundcube, and all necessary dependencies inside a Docker container:
```
docker run --name ubuntu24 \
-p 9876:80 \
-v "$PWD/install.sh":/root/install.sh \
-it ubuntu:24.04 \
bash -c "chmod +x /root/install.sh && /root/install.sh && exec bash"
```
🛑 Note: Use only in isolated environments. Do not expose vulnerable instances to the public internet.
# ⚠️ Disclaimer:
This proof-of-concept code is provided for educational and research purposes only. The author and contributors assume no responsibility for any misuse or damage resulting from the use of this code. Unauthorized use on systems you do not own or have explicit permission to test is illegal and strictly prohibited.
# 🚨 Run:
Make sure you have php installed on the system
```
php CVE-2025-49113.php http://127.0.0.1:9876/ roundcube fearsoff.org "cat /etc/passwd > /tmp/pwned"
```
# 🛡️ Mitigation:
If you're running Roundcube ≤ 1.6.10, update to the latest patched version immediately to eliminate this vulnerability.
[4.0K] /data/pocs/21be41049e1cf6e63e04dab2c4654fd2c654079e
├── [ 10K] CVE-2025-49113.php
├── [4.6K] install.sh
├── [1.8K] README.md
└── [1.2K] template.yaml
0 directories, 4 files