About Remote Code Execution – Roundcube (CVE-2025-49113) vulnerability. Roundcube is a popular open-source webmail client (IMAP). An authenticated attacker can exploit this vulnerability to execute arbitrary code on the Roundcube Webmail server. The issue is caused by the Deserialization of Untrusted Data (CWE-502).

🔹 On June 1, the vendor released patched versions 1.6.11 and 1.5.10. Within 48 hours, attackers had analyzed the patch, and exploit sale offers began appearing on the dark web.

🔹 On June 3, PT SWARM experts successfully reproduced the vulnerability.

🔹 Since June 5, public exploits have been available on GitHub.

🔹 On June 6, Kirill Firsov, the researcher who reported the vulnerability, published a detailed write-up. He claims the vulnerability existed in the code for 10 years and that it shows signs of exploitation in the wild.

🔹 On June 16, reports emerged of a successful attack on a German email hosting provider using this vulnerability.

На русском

Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.