CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2025-49113

criticalknown exploitedpublic exploitcovered by 3 sourcesfirst seen 2025-06-05
Actively exploited. CVE-2025-49113 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-02-20) — exploitation has been observed in the wild, and US federal agencies are required to remediate it under BOD 22-01. Treat patching as urgent.
Public exploit code is available. Proof-of-concept or working exploit code for CVE-2025-49113 is indexed in Metasploit, Exploit-DB, GitHub PoC and Nuclei. Expect opportunistic scanning and exploitation attempts — prioritize remediation.
Number: AL25-007 Date: June 11, 2025 Updated: July 10, 2026 Audience This Alert is intended for IT professionals and managers of notified organizations. Purpose An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested. Details On June 1, 2025, Roundcube released a security bulletin for a critical vulnerability affecting Webmail. The issue is described as a Post-Auth RCE via PHP Object Deserialization vulnerability (CVE-2025-49113) Footnote 1 . The versions of Roundcube products affected are Footnote 2 : Webmail – versions prior to 1.5.10 Webmail – versions prior to 1.6.11 In response to this vulnerability, the Cyber Centre released AV25-309 on June 2, 2025 Footnote 3 . While the Cyber Centre has not received any reports of exploitation, the existence of a proof of concept (POC) significantly raises the likeness of abuse by malicious actors. The existence of a published POC makes it imperative to take action to assess and mitigate this vulnerability. The Cyber Centre is aware that exploitation of CVE-2024-42009 has been used to obtain valid credentials, which could lead to exploitation of CVE-2025-49113. CISA added CVE-2024-42009 to their Known Exploited Vulnerabilities (KEV) catalog Footnote 4 Footnote 5 on June 9, 2025. Update 1 The Cyber Centre is aware of open-source reporting indicating ongoing exploitation Footnote 7 of CVE-2024-42009 Footnote 8 and CVE-2025-49113 Footnote 1 related to Roundcube Webmail. The Cyber Centre strongly recommends that organizations upgrade to the latest Roundcube Webmail versions as per AV26-657 Footnote 9 : Webmail – version 1.6.17 Webmail – version 1.7.2 On June 9, 2025, Cybersecurity and Infrastructure Security Agency (CISA) added CVE

CSIRTS triage

vendor: RoundcubeRemote code executionaffected: prior to 1.5.10, prior to 1.6.11
What
There is a Post-Auth RCE via PHP Object Deserialization vulnerability.
Who is affected
Deployments of Roundcube Webmail versions prior to 1.5.10 and 1.6.11.
Urgency
Remediation is urgent due to active exploitation and critical severity.
Action
Update to Roundcube Webmail version 1.5.10 or 1.6.11 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2025-49113

Get an email if CVE-2025-49113 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Exploit availability

Public exploit or proof-of-concept code for CVE-2025-49113 is indexed in these free datasets. Available exploit code raises real-world risk independent of the CVSS score.

Advisory coverage (3)

External references

NVD record for CVE-2025-49113

CVE.org record

CISA KEV catalog

Embed the live status

CVE-2025-49113 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2025-49113 status](https://www.csirts.com/badge/CVE-2025-49113)](https://www.csirts.com/cve/CVE-2025-49113)