module

Roundcube Post-Auth RCE via PHP Object Deserialization

Try Surface Command
Back to search
Disclosed
Jun 2, 2025
Created
Jun 11, 2025

Description

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution
by authenticated users because the _from parameter in a URL is not validated
in program/actions/settings/upload.php, leading to PHP Object Deserialization.

An attacker can execute arbitrary system commands as the web server.

Authors

Maksim Rogov
Kirill Firsov

Platform

Linux,Unix

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/multi/http/roundcube_auth_rce_cve_2025_49113
    msf exploit(roundcube_auth_rce_cve_2025_49113) > show targets
        ...targets...
    msf exploit(roundcube_auth_rce_cve_2025_49113) > set TARGET < target-id >
    msf exploit(roundcube_auth_rce_cve_2025_49113) > show options
        ...show and set options...
    msf exploit(roundcube_auth_rce_cve_2025_49113) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today