CVE-2025-49113, a newly disclosed vulnerability in the Roundcube webmail platform, allows for remote code execution (RCE) and is currently being actively exploited. Its ability to execute code through email subject lines makes it particularly dangerous, allowing attackers to compromise systems without any direct interaction.
As of June 2025, the Shadowserver Foundation reported 84,925 Roundcube instances exposed to this vulnerability. Criminal IP Asset Search has also identified tens of thousands of affected cases. This article outlines the critical aspects and risks of CVE-2025-49113 and explains how to detect exposed Roundcube servers using CTI-based techniques.
CVE-2025-49113: Roundcube Webmail RCE Vulnerability Overview
CVE-2025-49113 is a remote code execution (RCE) vulnerability found in Roundcube versions prior to 1.6.5. It allows attackers to execute arbitrary PHP code simply by sending a malicious email to a user. The issue arises when a malicious payload inserted into the email’s subject header field is not properly filtered and is evaluated on the server side, enabling the attacker to execute commands during Roundcube’s processing of the message.
The vulnerability was disclosed in early June 2025 and was weaponized by attackers almost immediately. Security researchers confirmed that the flaw was actively exploited to install backdoors and exfiltrate system information.
Roundcube Versions Affected by CVE-2025-49113
- All versions up to 1.6.4 are vulnerable.
- The vulnerability was patched in the latest release, version 1.6.5.
Major Security Threats of CVE-2025-49113
- Unauthenticated Remote Code Execution (RCE)
Code execution is possible upon email receipt—even without the user opening the message. - Ease of Attack Automation
Attackers can easily automate large-scale spam or brute-force email campaigns. - Widespread Targeting of Government, Education, and Hosting Sectors
Found on infrastructure in sensitive sectors, including major hosting platforms. - Roundcube Instances with Stacked Vulnerabilities
Many exposed Roundcube servers are already affected by multiple known vulnerabilities.
CTI-Based Attack Surface Detection of Exposed Roundcube Instances
Criminal IP Asset Search can identify Roundcube instances by detecting the roundcube_sessid keyword in the Set-Cookie header.
Criminal IP Search Query: “Set-Cookie: roundcube_sessid”
As of June 12, 2025, Criminal IP has detected a total of 56,225 Roundcube instances, with a large portion concentrated in the United States, China, Germany, Russia, and France. In particular, the United States and China host thousands of these instances.
Several of the Roundcube instances detected by Criminal IP were also found to have additional vulnerabilities, such as expired SSL certificates and multiple known CVEs. These weaknesses could make it easier for attackers to exploit them as entry points into target systems.
FAQ
Q1. Why are Roundcube instances exposed?
Roundcube is a widely used open-source webmail solution known for its ease of installation. It is often deployed as the default webmail client in shared hosting environments. However, many instances are installed without proper access restrictions on the admin interface or lack automatic updates, leaving outdated versions exposed to the internet for extended periods.
Q2. How can this vulnerability be prevented?
- Upgrade to the latest version (1.6.5)
- Remove unused Roundcube instances
- Apply firewalls and WAF rules to limit access.
- Regularly check for CVEs related to webmail.
- Continuously monitor external exposure with CTI-based asset detection tools.
Conclusion
The Roundcube vulnerability CVE-2025-49113 poses a critical security risk, allowing attackers to gain control of systems simply by sending an email—without any user or administrator interaction.
By leveraging Criminal IP Asset Search, organizations can monitor their attack surface in real-time and identify exposed assets. When using open-source solutions, it is essential to continuously monitor asset visibility and vulnerability exposure and to take proactive measures such as timely patching and access control implementation.
데이터 출처 : Criminal IP (https://www.criminalip.io)