CVE-2025-49113 is a critical vulnerability affecting Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11. This vulnerability allows remote code execution by authenticated users due to the lack of validation on the _from parameter in the URL, specifically in the program/actions/settings/upload.php file. The severity of this vulnerability is underscored by its high CVSS score of 9.9, indicating that it poses a significant risk to organizations that utilize these versions of Roundcube Webmail.
Risk to organizations includes potential unauthorized access to sensitive data and the ability to execute arbitrary code on the server. Given the nature of this vulnerability, it presents a serious threat, particularly for environments where Roundcube is used for managing emails. The urgency for defenders to act is critical, as known exploits are available, and the vulnerability has been classified as actively exploited.
Organizations should prioritize patching immediately. The response should include updating to the latest versions of Roundcube Webmail as soon as possible to mitigate the risks associated with this vulnerability.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)