Roundcube Webmail PHP Object Deserialization Vulnerability

漏洞信息

漏洞名称： Roundcube Webmail PHP Object Deserialization Vulnerability

漏洞编号：

• CVE： CVE-2025-49113

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： Roundcube Webmail是一款广泛使用的开源网页邮件客户端，它提供了类似于桌面邮件客户端的用户界面，支持IMAP和SMTP协议，常用于企业邮件系统中。由于其易用性和功能丰富，Roundcube在全球范围内被广泛部署和使用。此次发现的漏洞CVE-2025-49113涉及Roundcube Webmail中的PHP对象反序列化问题，攻击者可以通过构造恶意的序列化对象，利用文件上传功能触发漏洞，进而实现远程代码执行。该漏洞的技术根源在于Roundcube在处理文件上传时，未能正确验证和过滤用户输入，导致攻击者可以上传包含恶意序列化数据的文件，当这些数据被反序列化时，会执行攻击者预设的命令。这种漏洞的利用不需要用户交互，攻击者只需知道有效的用户名和密码即可通过认证，然后上传恶意文件触发漏洞。由于漏洞允许远程代码执行，攻击者可以完全控制受影响的系统，进行数据泄露、服务中断或其他恶意活动。鉴于漏洞的严重性和易用性，所有使用受影响版本Roundcube Webmail的用户都应尽快采取防护措施，包括更新到最新版本或应用官方提供的补丁。

产品厂商： Roundcube

产品名称： Roundcube Webmail

来源： https://github.com/Joelp03/CVE-2025-49113

类型： CVE-2025:github search

仓库文件

• README.md
• exploit.py

来源概述

CVE-2025-49113 Roundcube Exploit

A Python exploit for CVE-2025-49113, targeting a vulnerability in Roundcube webmail that allows remote code execution through PHP object deserialization.

Overview

This exploit leverages a deserialization vulnerability in Roundcube’s file upload functionality. It uses a crafted GPG configuration payload to achieve remote code execution on the target server.

Features

• Automatic authentication with Roundcube
• CSRF token extraction and handling
• Session management
• PHP object deserialization payload generation
• Remote command execution via GPG configuration injection

Usage

python exploit.py -t <target_url> -u <username> -p <password> -c <command>

Parameters

• -t, --target: Target Roundcube base URL (e.g., http://example.com/roundcube)
• -u, --user: Valid username for authentication
• -p, --password: Password for the specified user
• -c, --command: Shell command to execute on the target server

Example

python exploit.py -t http://target.com/roundcube -u [email] -p [password] -c "whoami"

How It Works

1. Authentication: Logs into Roundcube using provided credentials
2. Session Management: Extracts and manages session cookies
3. Payload Generation: Creates a serialized PHP object containing the malicious GPG configuration
4. File Upload: Uploads a crafted image file with the payload as filename
5. Code Execution: The deserialization triggers command execution through GPG configuration

Technical Details

The exploit targets the Crypt_GPG_Engine class deserialization vulnerability by:

• Crafting a base64-encoded shell command
• Embedding it in a serialized PHP object
• Using the object as a filename during file upload
• Triggering deserialization during file processing

Disclaimer

This tool is for educational and authorized security testing purposes only. Only use this exploit on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

CVE Information

• CVE ID: CVE-2025-49113
• Affected Software: Roundcube Webmail
• Vulnerability Type: PHP Object Deserialization leading to RCE
• Severity: Critical

License

This code is provided for educational purposes. Use responsibly and in accordance with applicable laws and regulations.