CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

AL25-007 - Vulnerability impacting Roundcube Webmail – CVE-2025-49113 – Update 1

criticalknown exploitedpublic exploitCVE-2025-49113CVE-2024-42009CVE-2025-42009
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Number: AL25-007 Date: June 11, 2025 Updated: July 10, 2026 Audience This Alert is intended for IT professionals and managers of notified organizations. Purpose An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested. Details On June 1, 2025, Roundcube released a security bulletin for a critical vulnerability affecting Webmail. The issue is described as a Post-Auth RCE via PHP Object Deserialization vulnerability (CVE-2025-49113) Footnote 1 . The versions of Roundcube products affected are Footnote 2 : Webmail – versions prior to 1.5.10 Webmail – versions prior to 1.6.11 In response to this vulnerability, the Cyber Centre released AV25-309 on June 2, 2025 Footnote 3 . While the Cyber Centre has not received any reports of exploitation, the existence of a proof of concept (POC) significantly raises the likeness of abuse by malicious actors. The existence of a published POC makes it imperative to take action to assess and mitigate this vulnerability. The Cyber Centre is aware that exploitation of CVE-2024-42009 has been used to obtain valid credentials, which could lead to exploitation of CVE-2025-49113. CISA added CVE-2024-42009 to their Known Exploited Vulnerabilities (KEV) catalog Footnote 4 Footnote 5 on June 9, 2025. Update 1 The Cyber Centre is aware of open-source reporting indicating ongoing exploitation Footnote 7 of CVE-2024-42009 Footnote 8 and CVE-2025-49113 Footnote 1 related to Roundcube Webmail. The Cyber Centre strongly recommends that organizations upgrade to the latest Roundcube Webmail versions as per AV26-657 Footnote 9 : Webmail – version 1.6.17 Webmail – version 1.7.2 On June 9, 2025, Cybersecurity and Infrastructure Security Agency (CISA) added CVE

CSIRTS triage

vendor: RoundcubeRemote code executionaffected: prior to 1.5.10, prior to 1.6.11
What
There is a Post-Auth RCE via PHP Object Deserialization vulnerability.
Who is affected
Deployments of Roundcube Webmail versions prior to 1.5.10 and 1.6.11.
Urgency
Remediation is urgent due to active exploitation and critical severity.
Action
Update to Roundcube Webmail version 1.5.10 or 1.6.11 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

Details

Source
Canadian Centre for Cyber Security (CA · national-cert · site)
Severity
critical
Published
2026-07-10
Exploitation
Observed in the wild (CISA KEV)

Original advisory: https://cyber.gc.ca/en/alerts-advisories/vulnerability-impacting-roundcube-webmail-cve-2025-49113

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2025-49113coverage & exploitation statusNVD · CVE.org
CVE-2024-42009coverage & exploitation statusNVD · CVE.org
CVE-2025-42009coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from Canadian Centre for Cyber Security