The Roundcube email client has a critical remote code execution flaw tracked as CVE-2025-49113 with a CVSS score of 9.9. The vulnerability has been present in Roundmail for over a decade, allowing hackers to take over targeted systems and run arbitrary code if exploited.
Roundcube promptly issued security updates, fixing the bug in versions 1.6.11 and 1.5.10 LTS. The issue was described as a “Post-Auth RCE via PHP Object Deserialization” fix in its advisory, with a strong recommendation to update all productive installations of Roundcube to safer versions.
Kirill Firsov, founder and CEO of FearsOff, was the first to discover the vulnerability and estimates that it affects more than 53 million hosts, including tools like Plesk, cPanel, ISPConfig, DirectAdmin, and more. Firsov has already revealed technical details and a proof-of-concept (POC) exploit as well.
Any web servers running cPanel, Plesk, ISPConfig, or DirectAdmin are affected by the bug, as all of these platforms include Roundcube by default. Additionally, if your server or website exposes ports 2083, 2086, 2087, or 2096, you’re vulnerable.
To make matters worse, Firsov has pointed out that exploits for CVE-2025-49113 are already starting to appear for sale on the dark web. Given the number of hosts affected, cybercriminals won’t wait long before scanning the internet for open ports and vulnerable hosts they can exploit.
This isn’t the first time Roundcube has been targeted, either. The webmail platform has faced attacks from hacking groups in the past, but these were limited to credential stealing or data interceptions. By giving hackers the ability to run malicious code on the server, this new ability can open up a whole new can of worms — one that will be very difficult to close unless you update Roundcube right away.
In the News: Novel Linux vulnerabilities allow password hash theft
