Hackers are exploiting CVE-2025-49113, a critical vulnerability in the widely-used Roundcube open-source webmail application, according to cybersecurity experts. The flaw, which allows remote code execution (RCE), has been available for exploitation since a patch was released on June 1st. This security issue has affected Roundcube versions 1.1.0 through 1.6.10 and could have far-reaching implications given the application’s popularity among web hosting providers like GoDaddy, Hostinger, and Dreamhost.
The vulnerability was assigned a critical severity score of 9.9 out of 10 and described as “email armageddon.” Kirill Firsov, CEO of the cybersecurity firm FearsOff, who initially reported the issue, published technical details ahead of the responsible disclosure period due to the rapid emergence of an exploit in underground forums. Firsov emphasized the importance of making this information available to aid defenders and security professionals in mitigating potential attacks.
At the core of CVE-2025-49113 lies a lack of sanitization of the request parameter, which facilitates object injection through PHP. Attackers have demonstrated their ability to reverse engineer the patch within days of its release, leading to the creation of an exploit that was subsequently advertised on a hacker forum. Even the requirement of login credentials to use the exploit does not appear to deter attackers, who claim they can obtain these credentials via various hacking methods.
The widespread use of Roundcube makes it a particularly appealing target for hackers. According to Firsov, up to 1.2 million Roundcube instances are currently accessible on the internet. As the application is commonly integrated into web hosting control panels used by government and academic entities, the potential for large-scale exploitation is significant. Vulnerability brokers reportedly pay as much as $50,000 for a working RCE exploit for this software.