Yesterday, 01:13 AM
There has recently been news of an exploit (CVE-2025-49113) for sale that allows an attacker to exploit mail application running RoundCube. The exploit existed over a decade and impact RoundCube webmail versions 1.1.0 through 1.6.10.
Well known hosting providers such as GoDaddy, Hostinger, Dreamhost, OVH and Bluehost provides the RoundCube webmail application often bundled with cPanel and Plesk Control panels.
Positive Technologies, in a post published on X, said it was able to reproduce CVE-2025-49113, urging users to update to the latest version of Roundcube as soon as possible.
"This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization," the Russian cybersecurity company
To protect yourself, they urge users to update to the latest version of RoundCube.
Well known hosting providers such as GoDaddy, Hostinger, Dreamhost, OVH and Bluehost provides the RoundCube webmail application often bundled with cPanel and Plesk Control panels.
Positive Technologies, in a post published on X, said it was able to reproduce CVE-2025-49113, urging users to update to the latest version of Roundcube as soon as possible.
"This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization," the Russian cybersecurity company
To protect yourself, they urge users to update to the latest version of RoundCube.