Start your free trial today.
Protect your organization with cutting-edge cybersecurity solutions designed for resilience and efficiency. Secure your digital assets with confidence.
Your Shield Against Threats
Unleash the Power of Cybersecurity
Boost Your Security, Enhance Your Business
We solve Your Cyber Challenges
Quick Links
Resources
Deepaegis Portals
2025 Deepaegis. All Rights Reserved.
Roundcube Webmail is vulnerable to remote code execution due to insecure PHP object deserialization. The vulnerability is triggered through the _from URL parameter in program/actions/settings/upload.php, which is not properly validated. An authenticated attacker can exploit this to execute arbitrary PHP code on the server.
Successful exploitation allows a low-privileged authenticated user to remotely execute arbitrary code with the privileges of the web server, leading to full compromise of confidentiality, integrity, and availability of the Roundcube instance.
Roundcube Webmail
Affected Version: v1.5.10-v1.6.11
Action Due: 6/1/2025
Remediation: Upgrade Roundcube to: Version 1.5.10 (for 1.5.x users) Version 1.6.11 (for 1.6.x users)
Exploit Added Date: 6/1/2025
1.5.10 Release 1.6.11 Release
Restrict access to upload.php until the upgrade is complete.
Apply input validation Disable unused upload features Limit user privileges
Monitor logs for unusual access to upload.php Look for serialized PHP objects in POST or GET parameters
5/31/2025
5/31/2025
No references provided
No affected organizations specified
This document contains sensitive information. Unauthorized distribution is prohibited.