Blog Post

The Human Connection Blog
2 MIN READ

New CTI Lab: CVE-2025-49113: Investigating a Roundcube RCE

benhopkins's avatar
benhopkins
Icon for Immerser rankImmerser
7 hours ago

Today, Immersive's Container 7 Research Team have released a lab covering a Roundcbe RCE being exploited in the wild

In February 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-49113 to its Known Exploited Vulnerabilities (KEV) catalogue following exploitation in the wild. This critical vulnerability, which lay dormant in the Roundcube Webmail codebase for over a decade, allows authenticated attackers to achieve Remote Code Execution (RCE). With tens of thousands of instances exposed globally, particularly in government and higher education sectors, this flaw has become a primary target for both cybercriminal and state-sponsored groups.

What is this about?

CVE-2025-49113 is a high-impact PHP Object Deserialization vulnerability (CWE-502) with a CVSS score of 8.8. The flaw resides in how the application handles session data and URL parameters during file uploads.

The attack vector focuses on:

  • The Vulnerable Parameter: The _from parameter in program/actions/settings/upload.php lacks proper validation.
  • The Logic Error: A bug in the Roundcube session parser allows an attacker to inject an exclamation mark (!) to corrupt session variables.
  • The Gadget Chain: By manipulating the corrupted session, attackers can inject malicious PHP objects that leverage the Crypt_GPG library to execute arbitrary commands.
  • Post-Auth Requirement: While exploitation requires authentication, attackers often pair this with credential harvesting or CSRF attacks to gain the initial foothold.


Why is this critical for you and your team?

This vulnerability represents a long-standing vulnerability that many organizations have failed to patch to date:

  • Execution: Exploitation is notoriously difficult to detect via traditional Web Application Firewalls (WAFs) due to the nature of PHP object injection within session handling. Admins are largely relegated to access logs and HTTP logs to identify evidence of intrusion
  • Federal Mandate: CISA has directed all Federal Civilian Executive Branch (FCEB) agencies to remediate this vulnerability by March 13, 2026, underscoring the immediate risk to national security infrastructure.


Who is the content for?

  • Security Analysts
  • System Administrators
  • Threat Researchers
  • Threat Hunters


Link to the lab: CVE-2025-49113: Investigating a Roundcube RCE

Updated 7 hours ago
Version 1.0
cyber threat intelligence
news & announcements
benhopkins's avatar
Icon for Immerser rankImmerser
Ben Hopkins currently works as a Cyber Threat Intelligence Researcher at Immersive Before working at Immersive, Ben spent 6 years as a Police Officer. He started on response, responding to 999 calls for service, such as thefts and burglaries in progress, assaults, road traffic incidents, and domestics. He then spent time working in intelligence-led policing, tackling organised criminality, modern slavery, and county lines. Ben regularly researches and investigates cybercriminals and the tooling they use. He shares this information with the cyber community through malware reports, blogs, and talks to internal stakeholders, external events, and the Human Connection Community.
View Profile
The Human Connection Blog
Learn from our experts
No CommentsBe the first to comment