Over 80,000 servers hit as Roundcube RCE bug gets rapidly exploited

A critical remote code execution (RCE) vulnerability in Roundcube was exploited days after patch, impacting over 80,000 servers.

Threat actors exploited a critical remote code execution (RCE) flaw in Roundcube, tracked as CVE-2025-49113, just days after the patch was released, targeting over 80,000 servers.

Roundcube is a popular webmail platform and has been repeatedly targeted by advanced threat groups like APT28 and Winter Vivern. In the past, attackers exploited these vulnerabilities to steal login credentials and spy on sensitive communications. These campaigns show how unpatched systems remain at serious risk, especially for high-value targets.

Last week, the critical flaw CVE-2025-49113 (CVSS score of 9.9) was discovered after it had gone unnoticed for over a decade. An attacker can exploit the flaw to take control of affected systems and run malicious code, putting users and organizations at significant risk. Kirill Firsov, founder and CEO of FearsOff, discovered the vulnerability.

“Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.” reads the advisory published by NIST.

The vulnerability has been addressed in 1.6.11 and 1.5.10 LTS.

Firsov estimates that the flaw impacts over 53 million hosts (and tools like cPanel, Plesk, ISPConfig, DirectAdmin, etc.), he said that details and PoC will be published soon.

After the disclosure of the flaw, the researchers at Positive Technologies announced they have reproduced CVE-2025-49113 in Roundcube. The experts urge users to update to the latest version of Roundcube immediately.

Researchers at the Shadowserver Foundation warned that roughly 84,000 Roundcube instances exposed on the Internet are still unpatched.

For the last few days, we are reporting out Roundcube CVE-2025-49113 vulnerable instances (allows remote code execution by authenticated users). Roundcube vulnerabilities have been frequently used for targeted attacks by possible state actors. We see ~84K unpatched worldwide. pic.twitter.com/ZmjVz3dlU5

— The Shadowserver Foundation (@Shadowserver) June 8, 2025

At this time, Shadowserver data shows more than 84,000 Internet-facing servers are vulnerable.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Roundcube)