CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2025-49113

CVSS 9.9v3.1pub. 2025-06-02upd. 2026-02-23

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

🤖 AI Analysis
How it works

In the file program/actions/settings/upload.php, the _from parameter passed in the URL is not subject to any validation. An attacker can submit a crafted payload that undergoes PHP Object Deserialization, leading to arbitrary code execution on the server side. The attack requires a valid user account in the application but does not require any administrative privileges.

Impact

An attacker can gain full control of the server running Roundcube Webmail — obtaining access to stored data, the ability to modify or permanently delete it, and potentially enabling lateral movement within the internal network.

Mitigation & patch

Roundcube Webmail must be immediately updated to version 1.5.10 or 1.6.11. Patches are available in the project repository (commits: 0376f69, 7408f31, c50a07d). If immediate patching is not possible, it is recommended to restrict access to the Roundcube instance to trusted networks and implement enhanced monitoring of application logs.

Who is affected

Roundcube Webmail versions prior to 1.5.10 and in the 1.6.x branch before 1.6.11, as well as systems based on Debian Linux that distribute these package versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Debian

    OS
    Debian
    11.0
  • Roundcube Webmail

    APP
    Roundcube
    < 1.5.101.6.0 – 1.6.11 (bez)

CISA KEV — detailsi

Vendori
Roundcube
Producti
Webmail
Added to KEVi
February 20, 2026
Remediation deadline (US Federal)i
March 13, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 13 marca 2026
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki

CVE-2025-24813CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych