Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-49113 PoC — Roundcube Webmail 安全漏洞

Source
https://github.com/issamjr/CVE-2025-49113-Scanner
Associated Vulnerability
Title:Roundcube Webmail 安全漏洞 (CVE-2025-49113)
Description:Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Description
A powerful Python scanner to detect CVE-2025-49113 vulnerability in Roundcube Webmail. Developed by Issam Junior (@issamiso).
Readme
<img src="https://raw.githubusercontent.com/issamjr/CVE-2025-49113-Scanner/refs/heads/main/img.jpg" />


# CVE-2025-49113 Scanner

## 🔍 Description

A powerful, multi-method Python scanner for detecting **CVE-2025-49113**, a critical remote code execution vulnerability in Roundcube Webmail.

- **CVE**: 2025-49113  
- **Type**: Authenticated Remote Code Execution via unsafe PHP object deserialization  
- **Affected Versions**: Roundcube < 1.5.10 and < 1.6.11  
- **Author**: Issam Junior ([@issamiso](https://t.me/issamiso))  

---

## 💥 Vulnerability Summary

`upload.php` in Roundcube Webmail does not validate the `'_from'` parameter, allowing injection of malicious serialized PHP objects. This enables a remote attacker (with valid session) to achieve **full remote code execution** (RCE) on the mail server.

---

## 🧪 Detection Methods

This scanner uses **three different techniques** to detect the vulnerability:
1. **Error-Based Analysis** – Detects typical PHP fatal errors in the response.
2. **Serialization Leakage** – Identifies object serialization responses.
3. **Header Anomaly Checks** – Detects headers suggesting exploitable configurations (like exposed `X-Powered-By: PHP`).

The script also **automatically detects Roundcube** installations before testing.

---

## ✅ Protection & Mitigation

- Upgrade to **Roundcube 1.5.10** or **1.6.11**
- Filter and sanitize user input
- Disable unserialize usage or apply secure serialization handlers
- Enforce secure cookie attributes (`HttpOnly`, `SameSite`, etc.)

---

## ⚙️ Usage

### Clone and install requirements:
```bash
git clone https://github.com/issamjr/CVE-2025-49113-Scanner.git
cd CVE-2025-49113-Scanner
pip install -r requirements.txt
```

### Scan a single target:
```bash
python3 scanner.py --url https://target-roundcube.com/
```

### Scan a list of targets:
```bash
python3 scanner.py --list targets.txt
```

> Targets must be authenticated or simulate session using cookies (default uses `roundcube_sessid=fake-session`).

---

## 📁 Example File (`targets.txt`)
```
https://mail1.example.com
https://webmail.anotherdomain.org
```

---

## 🔐 Disclaimer

This tool is intended **only for authorized security auditing and educational purposes**.  
The author is not responsible for any damage caused by misuse.

---

## 🛠️ Contact

Developer: **Issam Junior**  
Telegram: [@issamiso](https://t.me/issamiso)  
GitHub: [github.com/issamjr](https://github.com/issamjr)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →