## https://sploitus.com/exploit?id=982E6FCE-A9FC-53A1-8CBB-E801B8221F1F
# CVE-2025-49113 PoC Repository
## Overview of CVE-2025-49113
CVE-2025-49113 is a critical vulnerability affecting Roundcube Webmail versions prior to 1.5.10 and 1.6.11. Discovered in 2025, this flaw allows remote code execution (RCE) through PHP Object Deserialization in the /settings/upload.php endpoint. The vulnerability arises due to improper handling of the _from parameter, which can be exploited by authenticated users to execute arbitrary code on the server. This issue poses a significant risk, as it could enable attackers to gain unauthorized access, steal data, or compromise the server entirely. The vulnerability was patched in Roundcube versions 1.5.10 (LTS) and 1.6.11, released as part of the security updates on June 2025.
## Exploit Description
This repository contains a Proof of Concept (PoC) exploit written in PHP to demonstrate the CVE-2025-49113 vulnerability. The script leverages PHP Object Deserialization to create a malicious payload that writes a file (test_poc.txt) on the target server. Here's how it works:
Setup: The script sends a crafted request to the Roundcube /settings/upload.php endpoint with a serialized EvilObject class embedded in the _from parameter.
Payload: The EvilObject class defines a filename (e.g., /home/public_html/test_poc.txt) and content with a timestamp, executed via the __destruct method to write the file when deserialized.
Execution: Using cURL, the script authenticates with a valid roundcube_sessid cookie and delivers the payload. On a vulnerable server, this results in the creation of the specified file.
Output: Success is confirmed by a "File written successfully" message, and the server response is saved to response.html for debugging.
**The PoC was tested successfully on June 05, 2025, creating the file in the public_html directory. Note that a valid session cookie is required, and the target path must be writable by the web server user.**
## Security Recommendations
To mitigate the risks associated with CVE-2025-49113, follow these steps:
- Update Roundcube: Immediately upgrade to version 1.5.10 (LTS) or 1.6.11, which include patches for this vulnerability. Download the latest release from roundcube.net.
- Restrict Access: Limit access to the /settings/upload.php endpoint using a web application firewall (WAF) or .htaccess rules
- Change Passwords: Update passwords for all Roundcube users to prevent unauthorized access.
- Monitor Logs: Regularly check server logs (e.g., /var/log/litespeed/error.log) for suspicious activity.
- Apply Least Privilege: Ensure the web server user (e.g., www-data or nobody) has minimal permissions, and avoid setting broad write access (e.g., 0777) on sensitive directories.
- Disable Unused Features: If possible, disable the settings upload feature if not required.
**Warning: This PoC is for educational purposes only. Unauthorized exploitation of this vulnerability is illegal and may violate local laws.**
Rasool13x :)