CVE-2025-49113 PoC — Roundcube Webmail 安全漏洞

Source

https://github.com/BiiTts/Roundcube-CVE-2025-49113

Associated Vulnerability

Title:Roundcube Webmail 安全漏洞 (CVE-2025-49113)
Description:Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端，它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞，该漏洞源于未验证_from参数，可能导致PHP对象反序列化攻击。

Description

Proof-of-concept to CVE-2025-49113

Readme

# Roundcube RCE Exploit (CVE-2025-49113)

A fully functional proof-of-concept exploit for **CVE-2025-49113**

---

## 🧠 Summary

**CVE-2025-49113** is an **The vulnerability is the result of a logic flaw in the application's session parser, which allows insecure deserialization of PHP objects. Authenticated users can exploit this issue to execute arbitrary commands on the server.**

---

## 🔥 Impact

An attacker with **valid credentials** (even low-privileged user accounts) can exploit this flaw to:

- Execute arbitrary system commands.
- Establish reverse shells or deploy persistence.
- Move laterally within the internal network if Roundcube is self-hosted.

---

## 🧩 Vulnerability Details

- **Type:** Insecure Deserialization → Remote Code Execution
- **Component:** PHP backend (mail processing or plugin loading logic)
- **Conditions:** Authenticated session (cookie or login), crafted serialized payload
- **Exploit Primitive:** PHP `unserialize()` with attacker-controlled input and loaded gadgets

---

## ✅ Affected Versions

- **1.5.x:** All versions from `1.5.0` to `1.5.9`
- **1.6.x:** All versions from `1.6.0` to `1.6.10`

> Versions prior to 1.5.0 have not been tested, but are potentially vulnerable if backported plugins or features are present.

---

## ⚙️ Exploit Requirements

- Python ≥ **3.7**
- PHP ≥ **7.4** (used for local payload crafting)
- Python libraries listed in `requirements.txt`

---

## 💻 Setup & Installation

Clone the repository and install the required dependencies:

```bash
git clone https://github.com/BiiTts/Roundcube-CVE-2025-49113.git
cd roundcube-rce-CVE-2025-49113
pip install -r requirements.txt
```

## 🔥 Execute
```bash
python3 roundcube_exploit.py http://roundcube.local/ username password "cmd"
```

## 💻 References

https://fearsoff.org/research/roundcube

https://nvd.nist.gov/vuln/detail/CVE-2025-49113

https://hakaisecurity.io/por-tras-da-falha-erro-de-logica-no-parser-de-sessao-do-roundcube-cve-2025-49113/research-blog/

File Snapshot


 [4.0K]  /data/pocs/9d50afe0ba68d1ccc14c6364a5b0597dfa3d10d4
├── [ 374]  generate_gadget.php
├── [2.0K]  README.md
├── [ 166]  requirements.txt
└── [ 13K]  roundcube_exploit.py

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!