A severe vulnerability in the Roundcube webmail application, tracked as CVE-2025-49113, has been exploited and is now being sold by hackers shortly after a fix was issued on June 1.
The flaw, which allows post-authentication remote code execution, affects versions 1.1.0 to 1.6.10 and has existed unnoticed for over ten years. Cybersecurity expert Kirill Firsov publicly disclosed the technical details after discovering that the exploit was already being traded on underground forums.
The vulnerability stems from improper handling of the $_GET['_from'] parameter, which can lead to PHP object deserialization and session corruption. Although the exploit requires a valid login, attackers claim credentials can be obtained through brute force, logs, or CSRF attacks.
Roundcube is widely used by major hosting services and institutions, making the potential impact significant—Firsov even describes it as "email armageddon." Given its widespread presence, security researchers urge immediate patching to prevent large-scale exploitation.
Read more...