Exploit for CVE-2025-49113

Name: Exploit for CVE-2025-49113
Rating: 5 (93 reviews)
2025-06-22 | CVSS 9.9
## https://sploitus.com/exploit?id=5688CB2C-6414-5C65-A89F-34E6E5BE4F84
<img src="https://raw.githubusercontent.com/issamjr/CVE-2025-49113-Scanner/refs/heads/main/img.jpg" />


# CVE-2025-49113 Scanner

## 🔍 Description

A powerful, multi-method Python scanner for detecting **CVE-2025-49113**, a critical remote code execution vulnerability in Roundcube Webmail.

- **CVE**: 2025-49113  
- **Type**: Authenticated Remote Code Execution via unsafe PHP object deserialization  
- **Affected Versions**: Roundcube < 1.5.10 and < 1.6.11  
- **Author**: Issam Junior ([@issamiso](https://t.me/issamiso))  

---

## 💥 Vulnerability Summary

`upload.php` in Roundcube Webmail does not validate the `'_from'` parameter, allowing injection of malicious serialized PHP objects. This enables a remote attacker (with valid session) to achieve **full remote code execution** (RCE) on the mail server.

---

## 🧪 Detection Methods

This scanner uses **three different techniques** to detect the vulnerability:
1. **Error-Based Analysis** – Detects typical PHP fatal errors in the response.
2. **Serialization Leakage** – Identifies object serialization responses.
3. **Header Anomaly Checks** – Detects headers suggesting exploitable configurations (like exposed `X-Powered-By: PHP`).

The script also **automatically detects Roundcube** installations before testing.

---

## ✅ Protection & Mitigation

- Upgrade to **Roundcube 1.5.10** or **1.6.11**
- Filter and sanitize user input
- Disable unserialize usage or apply secure serialization handlers
- Enforce secure cookie attributes (`HttpOnly`, `SameSite`, etc.)

---

## ⚙️ Usage

### Clone and install requirements:
```bash
git clone https://github.com/issamjr/CVE-2025-49113-Scanner.git
cd CVE-2025-49113-Scanner
pip install -r requirements.txt
```

### Scan a single target:
```bash
python3 scanner.py --url https://target-roundcube.com/
```

### Scan a list of targets:
```bash
python3 scanner.py --list targets.txt
```

> Targets must be authenticated or simulate session using cookies (default uses `roundcube_sessid=fake-session`).

---

## 📁 Example File (`targets.txt`)
```
https://mail1.example.com
https://webmail.anotherdomain.org
```

---

## 🔐 Disclaimer

This tool is intended **only for authorized security auditing and educational purposes**.  
The author is not responsible for any damage caused by misuse.

---

## 🛠️ Contact

Developer: **Issam Junior**  
Telegram: [@issamiso](https://t.me/issamiso)  
GitHub: [github.com/issamjr](https://github.com/issamjr)