Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

Roundcube: CVE-2025-49113

Max room.

Exploit CVE-2025-49113 in a lab environment.

easy

25 min

9,016

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

Roundcube (opens in new tab) is a free and open-source webmail project. It is very feature-rich and available in over eighty languages. Although its built-in features are rich, they can be further expanded through the support of third-party plug-ins.

It mainly requires a web server with support and an server to run. , Nginx, and Lighttpd, among others, can easily satisfy the web server requirements; MySQL, MariaDB, PostgreSQL, SQLite, and many others can satisfy the database requirements. This versatility makes Roundcube a very popular choice for webmail, especially among hosting providers.

Recently, a vulnerability was discovered in Roundcube Webmail; it affects all versions 1.5.x and 1.6.x before 1.5.10 and 1.6.11. This vulnerability allows remote code execution () by authenticated users; in other words, valid credentials for the webmail are enough for the attacker to execute commands on the host system. This vulnerability has a 3.x severity score of 9.9, i.e., critical. Roundcube has already released versions 1.5.10 and 1.6.11 and strongly recommends updating (opens in new tab).

This room will cover what makes this vulnerability possible and demonstrate exploitation in a lab environment.

Roundcube logo showing a white 3D sphere emerging from a hexagonal base split into dark gray and bright blue sections.

Answer the questions below

Let’s dive in!