More than 85,000 Roundcube webmail installations have been found vulnerable to high-severity remote code execution flaw, which has been reportedly exploited in the wild.
The flaw, tracked as CVE-2025-49113, affects Roundcube versions 1.1.0 through 1.6.10. It has existed for over a decade and was patched on June 1st. Researchers report that an exploit for the vulnerability is already being sold on underground forums, and there is evidence of active exploitation attempts.
According to the data from threat monitoring platform, 85,534 Roundcube instances are vulnerable to CVE-2025-49113 as of June 10, 2025.
Most of these instances are in the United States, India, Germany, France, Canada, and the United Kingdom (2,400).
System administrators are recommended to update to version 1.6.11 and 1.5.10, which address CVE-2025-49113, as soon as possible.
Last week, CERT Poland warned that threat actors are exploiting another Roundcube XSS vulnerability (CVE-2024-42009) in a spear-phishing campaign aimed at credential theft. CERT Poland linked the activity to the Belarusian hacking group UNC1151. As for CVE-2025-49113, the agency said that “while we haven't observed any signs of this vulnerability being exploited, it could be combined with an account compromise vulnerability to form a highly effective attack chain.”
