Critical malware vulnerability threatens Roundcube Webmail
Important security updates have been released for Roundcube Webmail. There are no reports of attacks yet.
(Image: Pavel Ignatov/Shutterstock.com)
Web admins should update their Roundcube webmail instances to the latest version as soon as possible. The developers have closed a security gap in the latest version that could allow malicious code to access systems.
Contain the danger
According to a post, they have closed the "critical" vulnerability (CVE-2025-49113) in versions 1.5.10 and 1.6.11. All previous versions are said to be vulnerable.
Despite the critical classification, attackers must be authenticated to exploit the vulnerability. Because the from parameter in URLs under program/actions/settings/upload.php is not sufficiently checked, attackers can execute their code. It can be assumed that instances are completely compromised after a successful attack.
Videos by heise
Even if there are no indications of ongoing attacks, admins should not hesitate too long and install the security update promptly. The developers also advise this. According to the discoverers of the FearsOff vulnerability, it has existed for ten years and affects over 53 million hosts.
(des)
