Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-49113 PoC — Roundcube Webmail 安全漏洞

Source
https://github.com/BiiTts/Roundcube-CVE-2025-49113
Associated Vulnerability
Title:Roundcube Webmail 安全漏洞 (CVE-2025-49113)
Description:Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Description
Proof-of-concept to CVE-2025-49113
Readme
# Roundcube RCE Exploit (CVE-2025-49113)

A fully functional proof-of-concept exploit for **CVE-2025-49113**

---

## 🧠 Summary

**CVE-2025-49113** is an **The vulnerability is the result of a logic flaw in the application's session parser, which allows insecure deserialization of PHP objects. Authenticated users can exploit this issue to execute arbitrary commands on the server.**

---

## 🔥 Impact

An attacker with **valid credentials** (even low-privileged user accounts) can exploit this flaw to:

- Execute arbitrary system commands.
- Establish reverse shells or deploy persistence.
- Move laterally within the internal network if Roundcube is self-hosted.

---

## 🧩 Vulnerability Details

- **Type:** Insecure Deserialization → Remote Code Execution
- **Component:** PHP backend (mail processing or plugin loading logic)
- **Conditions:** Authenticated session (cookie or login), crafted serialized payload
- **Exploit Primitive:** PHP `unserialize()` with attacker-controlled input and loaded gadgets

---

## ✅ Affected Versions

- **1.5.x:** All versions from `1.5.0` to `1.5.9`
- **1.6.x:** All versions from `1.6.0` to `1.6.10`

> Versions prior to 1.5.0 have not been tested, but are potentially vulnerable if backported plugins or features are present.

---

## ⚙️ Exploit Requirements

- Python ≥ **3.7**
- PHP ≥ **7.4** (used for local payload crafting)
- Python libraries listed in `requirements.txt`

---

## 💻 Setup & Installation

Clone the repository and install the required dependencies:

```bash
git clone https://github.com/BiiTts/Roundcube-CVE-2025-49113.git
cd roundcube-rce-CVE-2025-49113
pip install -r requirements.txt
```

## 🔥 Execute
```bash
python3 roundcube_exploit.py http://roundcube.local/ username password "cmd"
```

## 💻 References

https://fearsoff.org/research/roundcube

https://nvd.nist.gov/vuln/detail/CVE-2025-49113

https://hakaisecurity.io/por-tras-da-falha-erro-de-logica-no-parser-de-sessao-do-roundcube-cve-2025-49113/research-blog/
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →