Cybersecurity researchers have revealed details of the critical security lack of Webmail RoundCube software, which has left unnoticed over the decade and can be used to have sensitive systems and arbitrary code.
Vulnerability tracked as Cve-2025-4913Carries CVSS 9.9 out of 10.0. It has been described as a case of post -auto -performing remote code using the PHP facility.
“Webmail RoundCube up to 1.5.10 and 1.6.x to 1.6.11 allows to execute the deleted code by authenticated users, since the _from parameter in the URL is not confirmed in the program/actions/settings/upload.php, which leads to desserization of the PHP object,” – said description Lack of the National Vulnerability Nist (NVD).
The disadvantage affecting all versions of the software before and including 1.6.10 was addressed to 1.6.11 and 1.5.10 lts. Cyril Fires, founder and CEO of Fearsoff, are attributed to the detection and report on the lack.
Cybersecurity campaign based on Dubai noted In a short recommendation that intends to make public additional technical data and proof of the concept (POC) “fast” to give users enough time to apply the necessary patches.
https://www.youtube.com/watch?v=tbktbmjwhjy
Previously disclosed security vulnerabilities in RoundCube were a profitable goal for nation -threatening subjects such as APT28 and Winter Viven. Last year, positive technology showed that unspecified hackers tried To use the RoundCube deficiency (CVE-2014-37383) as part of a phishing attack intended for theft of users’ powers.
Then a couple of weeks ago, eset noted What APT28 has taken vulnerabilities for scripting scripts (XSS) in various web post-servers such as RoundCube, Horde, MDAEMON and Zimbra to collect confidential data from certain e-mail accounts and defense companies in Eastern Europe.