Over 84,000 Roundcube instances vulnerable to actively exploited flaw

Malcontent · Jun 9, 2025

Over 84,000 Roundcube instances vulnerable to actively exploited flaw

The flaw, which impacts Roundcube versions 1.1.0 through 1.6.10, spanning over a decade, was patched on June 1, 2025, following its discovery and reporting by security researcher Kirill Firsov.

The bug stems from unsanitized $_GET['_from'] input, enabling PHP object deserialization and session corruption when session keys begin with an exclamation mark.

Shortly after the patch was released, hackers reverse-engineered it to develop a working exploit, which they sold on underground forums.

Though the exploitation of CVE-2025-49113 requires authentication, attackers claim that valid credentials can be obtained via CSRF, log scraping, or brute-forced.
Click to expand...

Log in or Sign up

Over 84,000 Roundcube instances vulnerable to actively exploited flaw

Malcontent Registered Member

Log in or Sign up

Over 84,000 Roundcube instances vulnerable to actively exploited flaw

Malcontent Registered Member

Useful Searches