The disclosure was not supposed to happen like this. Originally slated for release after a responsible disclosure period, the details of a critical vulnerability in Roundcube (CVE-2025-49113) are being published early.
Not out of haste, but out of necessity. Within 48 hours of a patch landing quietly on GitHub, attackers had already reverse-engineered the fix, weaponized the exploit, and begun selling it on underground forums.
In this case, silence would serve the wrong side.
To level the field for defenders, a full technical breakdown has been made public by Fears Off researchers. It’s not ideal. But with active exploitation underway and millions of systems exposed, it’s the most responsible course of action.
“Given the active exploitation and evidence of the exploit being sold in underground forums, I believe it is in the best interest of defenders, blue teams, and the broader security community to publish a full technical breakdown,” Fears Off said.
Roundcube: A Familiar Face in Familiar Places
If you’ve ever conducted a penetration test, you’ve likely encountered Roundcube. It’s ubiquitous, more common than misconfigured SSL, and just as stubborn.
It’s the go-to webmail client for shared hosting providers the world over, bundled by Hostinger, GoDaddy, OVH, and Dreamhost. Control panels like cPanel, Plesk, and DirectAdmin integrate it by default. And it’s not limited to small fry. Institutions like Johns Hopkins, Columbia, and Cambridge rely on it. Government agencies, universities, and enterprises have Roundcube baked into their infrastructure.
So when it breaks, the fallout is wide.
According to current telemetry, it affects some 53 million hosts. The term “attack surface” doesn’t quite do this one justice. It’s industrial in scale.
A History of Holes, and Hacker Joy
Roundcube has long been an object of fascination for security researchers. Past exploits (like CVE-2016-9920, or the RCE found in the markasjunk plugin) have drawn admiration and dread in equal measure. Each report reads like a puzzle solved. Each discovery, a fresh spark for the next researcher.
Some do it for the payout. Bug bounty platforms and brokers like Crowdfence have offered up to $50,000 for critical Roundcube bugs. But most aren’t in it for the money. They’re here for the craft. For the cause. And, increasingly, for defense.
The researcher behind this new finding spent over a dozen hours unpicking Roundcube’s inner workings. Now that effort is being released, early, and with purpose, to give defenders time to react.
The Vulnerability at a Glance
- CVE-2025-49113 affects Roundcube versions 1.1.0 through 1.5.9 and 1.6.0 through 1.6.10
- Reproducible by default, without special dependencies
- Undetectable by web application firewalls
- Hidden in plain sight for over a decade
- Exploitable with valid credentials (CSRF technically possible, but less practical)
Patches are available in versions 1.6.11 (stable) and 1.5.10 (LTS). If you’re running anything older, you’re exposed.
Under the Hood: Sessions, Serialization, and a Single Exclamation Point
The vulnerability lies not in flashy calls to eval() or careless includes. It lives deeper, in how Roundcube handles session data.
Roundcube supports a range of session storage backends: MySQL, PostgreSQL, Redis, Memcached. To juggle that variety, its developers wrote a generic, high-level session handler, central to which is the rcube_session class.
At its heart is a method: unserialize(). It parses session data, stored as base64-encoded strings, and reconstructs the internal state. This routine runs every time the webmail client loads a session. This is where things get strange.
The Curious Case of the Exclamation Mark
When PHP stores session data, it saves each variable with a name and a value. Roundcube has a parser that reads this data, going through it character by character. Most of the time, it works as expected—until it runs into an exclamation mark (!).
That single character triggers unusual behavior. The parser is clearly checking for it, but there’s no code to handle what happens next. No explanation, no backup logic. Just a strange condition that causes the session data to be interpreted in unexpected ways.
A researcher tested this by adding a variable named !temp to the session. The result was a broken session: some values got moved around, some keys were renamed, and in certain cases, it created new structures that could let someone run code on the server.
This trick isn’t caught by firewalls or logging tools. It doesn’t require deep technical knowledge or special hacks, just a crafted session and a valid login.
What to Do Now
Patch immediately. If your Roundcube installation predates version 1.6.11, update it now.
Audit your environments. Especially if you’re running shared hosting stacks or managing email infrastructure across education, government, or enterprise sectors.
While this vulnerability may initially require a valid user login, its exploitation potential, particularly via chained attacks or credential stuffing, cannot be overstated.
The Bigger Picture
This isn’t just about one bug in one piece of software. It’s a reminder of the quiet complexity that underpins even the most familiar systems. Of how a single character in a single function can become a vector for compromise. And of the need for transparency, even when it comes sooner than expected.
Defenders now have the information. What they do next will matter.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.