TL;DR: CISA added two Roundcube webmail vulnerabilities to its KEV catalog following active exploitation. At least one tracked issue is CVE-2025-49113 (deserialization → RCE). Immediate steps: inventory Roundcube hosts, isolate suspected systems, and apply vendor patches or network restrictions. This post contains detection queries and remediation steps SOCs can run now.
CISA has added two Roundcube webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation. One of the tracked issues is CVE-2025-49113, a high-severity deserialization vulnerability that can lead to remote code execution in unpatched installations.
Why this matters
Roundcube is widely deployed as a self-hosted webmail interface in SMBs, hosting providers, and some enterprise mail setups. When CISA adds a vulnerability to KEV it signals real-world exploitation and increased risk to organizations that run affected versions — meaning security teams should treat this as urgent.
Technical summary
- Vulnerabilities: Two Roundcube flaws were added to the KEV catalog; at least one (CVE-2025-49113) is a deserialization flaw enabling remote code execution.
- Attack vectors: Exploits target the webmail interface; successful exploitation may allow web shell deployment, privilege escalation, or lateral movement from compromised mail servers.
- Evidence: Multiple security reports and government feeds flagged active exploitation prior to the KEV entry.
Immediate actions (0–24 hours)
- Inventory: Identify all Roundcube installations (hostnames, IPs, versions) and prioritize externally-facing instances.
- Isolate: If you suspect compromise, isolate the host from the network and preserve volatile evidence (memory, process list, network connections).
- Patch: Apply the vendor-released Roundcube updates or mitigations immediately. If an official patch is unavailable, remove public access or restrict to trusted IPs and enable additional WAF rules.
Detection and hunting (concrete queries)
Use the queries below to find suspicious serialized payloads, webshells, or recent PHP files added to webroots.
Grep (access logs)
grep -E "POST .*\(O:[0-9]+:|s:[0-9]+:|a:[0-9]+:" /var/log/nginx/access.logSplunk
index=web sourcetype=access_combined method=POST | regex _raw="(O:\d+:|s:\d+:|a:\d+:)" | stats count by clientip,uriElastic (KQL)
http.request.method: "POST" and http.request.body: /(O:\d+:|s:\d+:|a:\d+:)/Filesystem check (new PHP files)
find /var/www -type f -name "*.php" -mtime -7 -printIf you use a WAF, add rules to block POST requests containing serialized payload markers (e.g., “O:[0-9]+:”, “s:[0-9]+:”).
Patched versions
Roundcube has published fixes. Update affected installations to one of the following vendor release points: 1.5.10 (stable 1.5 branch) or 1.6.11 (1.6 branch). NVD documents the issue as CVE-2025-49113 and confirms the affected version ranges (Roundcube < 1.5.10 and 1.6.x < 1.6.11). Apply these updates immediately and follow the vendor release notes for post-update validation steps.
Remediation and recovery
- Patch and harden: Apply vendor fixes and ensure all components (PHP, libraries, OS) are up to date.
- Credential reset: Reset service and admin passwords; force password resets for affected mail users if compromise is suspected.
- Rebuild if necessary: If system integrity is in doubt, rebuild the server from known-good images and restore mail data from backups after verification.
Longer-term controls
- Reduce attack surface: Limit access to Roundcube to internal networks or VPNs where feasible.
- Monitoring: Add detection rules for suspicious serialization activity and integrate alerts into SIEM workflows.
- Backup & response: Ensure tested backups and an incident response playbook that covers mail-server compromise.
Internal links
See earlier Cyberwarzone reporting on exploited vulnerabilities and CISA confirmations for response playbooks and broader context: CISA confirms Linux kernel flaw exploited in ransomware attacks.
