1.0 Introduction
Recently, a critical Remote Code Execution (RCE) vulnerability affecting Roundcube Webmail, tracked as CVE-2025-49113 , has been discovered and is now being actively exploited. This vulnerability, which has existed for over a decade, is triggered by sending a malicious HTML email to a victim. The flaw lies in improper handling of certain email content, allowing attackers to execute arbitrary PHP code on the server once the email is opened. The issue affects millions of Roundcube deployments worldwide, including in government and enterprise environments.
2.0 Impact
Successful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on the Roundcube mail server. The potential impacts include:
- Full server compromise
- Unauthorized access to email communications
- Malware deployment and lateral movement
- Exposure of sensitive government or enterprise data
3.0 Affected Product
- Roundcube versions earlier than 1.5.10
- Roundcube 1.6.0 versions earlier than 1.6.11
4.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the Roundcube Security Update and apply the necessary updates immediately.
Kindly refer to the following URL for latest updates:
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10\
Generally, CyberSecurity Malaysia advises users to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact us through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.cybersecurity.my
5.0 References