CVE-2025-49113

Kirill Firsov (CEO of FearsOff) made a massive finding that will soon make headlines globally as one of the most significant CVEs in recent history: Post-authentication RCE in Roundcube Webmail (v1.1.0 till current 1.6.10) that has existed unnoticed for 10 years, and which affects over 53 Million hosts (and tools like cPanel, Plesk, ISPConfig, DirectAdmin, etc.).

Details and PoC will be published soon. We're giving time to all affected parties to make the necessary patches/updates. Safe versions are 1.6.11 and 1.5.10 LTS. 

Help us spread the word and stay tuned for more details.  

Follow Kirill on X: https://x.com/k_firsov