Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   Hacker selling critical Roundcube webmail exploit as tech info disclosed (http://txgate.io:443/showthread.php?t=51301046)

Artifact 06-07-2025 09:19 AM
<div id="post_message_795962">

Hackers are likely starting to exploit CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution.<br/>
<br/>
The security issue has been present in Roundcube for over a decade and impacts versions of Roundcube webmail 1.1.0 through 1.6.10. It received a patch on June 1st.<br/>
<br/>
It took attackers just a couple of days to reverse engineer the fix, weaponize the vulnerability, and start selling a working exploit on at least one hacker forum.<br/>
<br/>
Roundcube is one of the most popular webmail solutions as the product is included in offers from well-known hosting providers such as GoDaddy, Hostinger, Dreamhost, or OVH.<br/>
<br/>
<b><font size="4"><font color="White">"Email armageddon"</font></font></b><br/>
<br/>
CVE-2025-49113 is a post-authentication remote code execution (RCE) vulnerability that received a critical severity score of 9.9 out of 10 and is described as “email armageddon.”<br/>
<br/>
It was discovered and reported by Kirill Firsov, the CEO of the cybersecurity company<a href="https://fearsoff.org/" target="_blank"> FearsOff</a>, who decided to publish the technical details before the end of the responsible disclosure period because an exploit had become available.<br/>
<br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">
<font size="3">“Given the active exploitation and evidence of the exploit being sold in underground forums, I believe it is in the best interest of defenders, blue teams, and the broader security community to publish a full technical breakdown but without complete PoC for now” - <a href="https://fearsoff.org/research/roundcube" target="_blank">Kirill Firsov</a></font>
</td>
</tr>
</table>
</div>At the root of the security problem is the lack of sanitization of the $_GET['_from'] parameter, which leads to PHP Object deserialization.<br/>
<br/>
In the technical report, Firsov explains that when an exclamation mark initiates a session variable name, the session becomes corrupted and object injection becomes possible.<br/>
<br/>
After Roundcube received a patch, attackers analyzed the modifications it introduced, developed an exploit, and advertised it on a hacker forum, noting that a working login is required.<br/>
<br/>
However, the need for login credentials does not seem like a deterrent, since the threat actor offering the exploit says that they can extract it from the logs, or it can be brute forced.<br/>
<br/>
Firsov says that the credential combination could also be obtained through cross-site request forgery (CSRF).<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1100723/XSS_Roundcube%20exploit.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Roundcube exploit for CVE-2025-49113 available on hacker forum. Source: <a href="https://x.com/k_firsov" target="_blank">Kirill Firsov</a>
</td>
</tr>
</table>
</div>According to Firsov, at least one vulnerability broker <a href="https://www.crowdfense.com/exploit-acquisition-program/" target="_blank">pays up to $50,000</a> for an RCE exploit in Roundcube.<br/>
<br/>
The researcher published a video to demonstrate how the vulnerability can be exploited. It should be noted that the researcher uses the vulnerability identifier CVE-2025-48745 in the demonstration, which is currently rejected as a <a href="https://nvd.nist.gov/vuln/detail/cve-2025-48745" target="_blank">duplicate candidate</a> for CVE-2025-49113.<br/>
<br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">
<font size="3">https://youtu.be/TBkTbMJWHJY</font>
</td>
</tr>
</table>
</div>Despite being a less-known application among consumers, Roundcube is very popular, mostly because it is highly customizable with more than 200 options, and it is freely available.<br/>
<br/>
Apart from being offered by hosting providers and bundled in web hosting control panels (cPanel, Plesk), numerous organizations in the government, academic, and tech sectors use Roundcube.<br/>
<br/>
Firsov also says that this webmail app has such a wide presence that a pentester is more likely to find a Roundcube instance than an SSL misconfiguration.<br/>
<br/>
Considering the ubiquity of the application, the researcher says that “the attack surface isn’t big - it’s industrial.”<br/>
<br/>
Indeed, a quick look on search engines for discovering internet-connected devices and services shows at least 1.2 million Roundcube hosts.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/hacker-selling-critical-roundcube-webmail-exploit-as-tech-info-disclosed/" target="_blank">@ BleepingComputer</a>
</div>


All times are GMT. The time now is 07:25 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.