CVE-2025-49113 is a critical remote code execution vulnerability affecting Roundcube Webmail versions prior to 1.5.10 and 1.6.x prior to 1.6.11. The root cause is improper validation of the _from parameter in the URL within the file program/actions/settings/upload.php. This flaw allows authenticated users to exploit PHP Object Deserialization, a dangerous security weakness categorized under CWE-502. Deserialization vulnerabilities occur when untrusted data is deserialized by an application without sufficient validation, enabling attackers to manipulate serialized objects to execute arbitrary code on the server. In this case, an attacker with valid credentials can craft a malicious payload in the _from parameter, triggering deserialization of malicious objects and leading to full remote code execution. The vulnerability has a CVSS v3.1 base score of 9.9, indicating critical severity with network attack vector, low attack complexity, requiring privileges (authenticated user), no user interaction, and complete impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the ease of exploitation by any authenticated user and the critical impact make this a high-risk threat. Roundcube Webmail is a widely used open-source webmail client deployed by many organizations for email access and management, making this vulnerability particularly concerning for environments relying on it for internal or external email services. The vulnerability affects all versions before 1.5.10 and 1.6.11, so organizations running these versions are at risk until patched.

For European organizations, the impact of this vulnerability can be severe. Successful exploitation allows an authenticated user to execute arbitrary code on the webmail server, potentially leading to full system compromise. This can result in unauthorized access to sensitive emails, credential theft, lateral movement within corporate networks, and disruption of email services. Given that email is a critical communication tool, disruption or compromise can affect business continuity, regulatory compliance (e.g., GDPR), and customer trust. Attackers could also use compromised webmail servers as pivot points for further attacks, including data exfiltration or ransomware deployment. The critical nature of this vulnerability means that organizations using vulnerable versions of Roundcube Webmail face a significant risk of data breaches and operational impact.

Organizations should immediately upgrade Roundcube Webmail to version 1.5.10 or 1.6.11 or later, where this vulnerability is fixed. If immediate upgrade is not possible, implement strict access controls to limit authenticated user privileges and monitor webmail access logs for suspicious activity. Employ web application firewalls (WAFs) with rules to detect and block malicious deserialization payloads targeting the _from parameter. Conduct thorough code audits and penetration testing focusing on deserialization vectors. Additionally, enforce multi-factor authentication (MFA) for webmail access to reduce the risk of compromised credentials being used to exploit this vulnerability. Regularly review and update security policies around email infrastructure and ensure timely patch management processes are in place to prevent exploitation of known vulnerabilities.