Critical 10-Year-Old Vulnerability Found in Roundcube Webmail (CVE-2025-49113)

June 4th , 2025 by Eric Stephen

A newly disclosed, high-severity vulnerability has been identified in Roundcube Webmail, affecting all versions prior to 1.6.11 and 1.5.10 LTS.

A newly disclosed, high-severity vulnerability has been identified in Roundcube Webmail, affecting all versions prior to 1.6.11 and 1.5.10 LTS. This flaw allows authenticated users to execute arbitrary code through PHP object injection due to improper handling of the _from URL parameter.

Key Details:

CVSS Score: 9.9/10
Impact: Arbitrary code execution
Discovered by: Kirill Firsov, CEO of FearsOff
Affected versions: All versions before 1.6.11 and 1.5.10 LTS

Eenos Servers Already Patched

We want to reassure our customers that all Eenos-powered servers are already updated with the patched version of Roundcube. No action is required on your end — we've got you covered.

If you're running Roundcube elsewhere, it's crucial to update immediately to the latest secure release.

Quick Search

Try Eenos

Experience the power of Eenos with a free trial today!

Free Trial

Traditional Hosting

AI & Data Analytics

SandBoxed Apps

High Performance

Modern Databases

Automated Backups

Why Migrate to Eenos?

Key Details:

Eenos Servers Already Patched

Quick Search

Try Eenos

Recent Posts

Eenos v1.0.2 Released. Faster, Smarter, and More Flexible

Critical 10-Year-Old Vulnerability Found in Roundcube Webmail (CVE-2025-49113)

Eenos Version 1.0 Released

How to install SpamAssassin

Web Hosting

Recent Articles

Eenos Version 1.0 Released: Major Update with QUIC, PHP 8.4, Ruby 3.4, and Python 3.13 S…

Eenos v1.0.2 Released - Faster, Smarter, and More Flexible Hosting Control Panel

Company

Features

Resources

Quick Links