Roundcube Webmail Post-Auth RCE via PHP Object Deserialization

This repository is a small standalone exploit PoC for CVE-2025-49113 against Roundcube Webmail. It contains two files: a README describing the vulnerability, exploitation flow, and usage, and a single Python script implementing the exploit. The script is not part of a larger exploitation framework. The exploit performs a full post-authentication attack chain: it parses the supplied target URL, fetches the Roundcube login page, extracts the CSRF token from an HTML input named _token, stores session cookies from Set-Cookie headers, submits valid credentials to the login endpoint, then sends a crafted multipart/form-data POST to the Roundcube upload handler. The malicious element is the uploaded filename, which contains a serialized PHP object for Crypt_GPG_Engine. The attacker command is Base32-encoded and wrapped as `echo "<B32>" | base32 -d | sh &#`, then inserted into the _gpgconf property of the serialized object. According to the repository, Roundcube deserializes this filename during upload processing, leading to arbitrary command execution. Main exploit capabilities: authenticated remote code execution on vulnerable Roundcube instances; arbitrary shell command execution supplied via the -x/--command argument; support for both HTTP and HTTPS targets; automatic cookie and CSRF handling; multipart upload generation with randomized boundary and request parameters to mimic normal upload behavior. The script uses a tiny embedded PNG as upload content and relies only on Python standard library modules. Notable implementation details: the exploit uses GET /?_task=login to retrieve the CSRF token, POST /?_task=login to authenticate, and a POST request to the settings upload workflow with parameters including `_task=settings`, `_action=upload`, `_remote=1`, `_from=edit-!<random>`, `_id=<random>`, and `_uploadid=upload<timestamp>`. The script expects a 302 response for successful login and a 200 response for the upload request. One minor code issue exists: `time` is imported only inside the `__main__` block, but because execute_exploit is called only through main(), it still works in normal execution. Overall, this is a functional operational PoC rather than a detection script. It requires valid Roundcube credentials and a vulnerable server-side gadget chain, and it yields server-side command execution in the web server context.

This repository contains a single standalone Python exploit script, CVE-2025-49113.py, targeting CVE-2025-49113 in Roundcube Webmail. It is a post-authenticated web exploit for vulnerable Roundcube versions 1.5.0-1.5.9 and 1.6.0-1.6.10. The script is not part of a larger exploit framework. The exploit workflow is straightforward and fully implemented: it logs into Roundcube with valid credentials, extracts a CSRF token from the main page, crafts a malicious PHP serialized object using the Crypt_GPG_Engine gadget, and injects that object into PHP session data by abusing the settings upload endpoint. Specifically, it places part of the serialized payload in the _from URL parameter and part in the uploaded filename of a multipart/form-data request, using pipe separators to create new session variables. It then triggers deserialization by calling the logout endpoint, relying on PHP session handling during session_write_close() to deserialize the injected object and execute the attacker-controlled command. Repository structure is minimal: one Python file with helper routines for serialization transformation, payload construction, authentication, upload/injection, and trigger execution. The helper _process_serialized() converts PHP serialized strings into the extended S: format expected by Roundcube session serialization when special characters are present. _build_payload() constructs the serialized gadget object and the paired injection values. _login(), _upload(), and _trigger() implement the HTTP exploitation stages. main() parses command-line arguments and orchestrates the attack. Main exploit capability: authenticated remote command execution on the Roundcube host. The payload is user-controlled and passed as a command-line argument, making the exploit operational rather than a simple proof of concept. The script includes example commands such as 'id' and a bash reverse shell. It disables TLS verification warnings and uses raw multipart body construction with a fixed boundary to precisely control the uploaded filename field. Notable fingerprintable endpoints are the Roundcube login, settings upload, and logout routes, plus the request_token field extracted from HTML/JS responses. No hardcoded victim IPs or domains are present; the operator supplies the target base URL at runtime.

Repository provides an operational post-auth RCE exploit/PoC for CVE-2025-49113 affecting Roundcube Webmail (claimed vulnerable range 1.1.0–1.6.10; patched in 1.6.11/1.5.10). The main exploit is a Python script (PoC/src/scanner.py) that: (1) performs an initial GET to the Roundcube base URL to extract a CSRF token and session cookies; (2) authenticates to /?_task=login using provided credentials; (3) builds a PHP object deserialization payload using a Crypt_GPG_Engine gadget, embedding the attacker-supplied command into the serialized property _gpgconf; (4) injects the payload via a crafted multipart/form-data request to the settings upload action, manipulating the _from parameter and uploaded filename to smuggle the serialized object; and (5) triggers execution (trigger function is present but truncated in the provided content; result artifacts indicate a logout/trigger step is used). Structure: PoC/ contains the exploit script, pyproject.toml (packaging/entrypoint), and a sample run output (PoC/result.txt). Stand/ contains a Docker Compose lab with Roundcube 1.6.10-apache, MariaDB 10.6, and a Dovecot IMAP server (port 143) plus IMAP user config (test:test) to reproduce the vulnerable environment. result.json documents successful test runs, prerequisites (valid credentials, upload permissions), the vulnerable component (program/actions/settings/upload.php), and verification via checking files created inside the container (/tmp/pwned, /tmp/output.txt).

This repository provides a working proof-of-concept exploit for CVE-2025-49113, a post-authentication remote code execution (RCE) vulnerability in Roundcube Webmail versions up to 1.6.10 (and 1.5.x before 1.5.10). The main exploit script, 'CVE-2025-49113.php', is a standalone PHP program that automates the exploitation process: it authenticates to a target Roundcube instance using provided credentials, retrieves a CSRF token and session cookie, crafts a malicious serialized PHP object payload, and injects it via the user settings upload endpoint. The payload enables arbitrary command execution on the server. The repository also includes a 'README.md' with detailed usage instructions, an 'install.sh' script to set up a vulnerable Roundcube environment in Docker for testing, and a 'template.yaml' file for detection (likely for use with Nuclei or similar tools). The exploit requires network access to the target Roundcube instance and valid user credentials. The code is operational and demonstrates the full attack chain, but is not weaponized for mass exploitation. No hardcoded backdoors or fake elements are present.

This repository contains a working exploit for CVE-2025-49113, a critical insecure deserialization vulnerability in Roundcube Webmail (versions 1.5.0-1.5.9 and 1.6.0-1.6.10). The exploit is implemented in a single PHP script (CVE-2025-49113-exploit_cookies.php) and requires valid authenticated session cookies to operate. The script verifies the target's version and session validity, then crafts a multipart/form-data POST request to the file upload endpoint, injecting a malicious serialized PHP object as the filename. This object, when deserialized by the vulnerable Roundcube backend, triggers execution of an attacker-supplied shell command via the system shell. The README.md provides detailed technical background, usage instructions, and mitigation advice. The exploit is operational and allows arbitrary command execution on the target server, provided the attacker has valid credentials and file upload access. No fake or detection-only code is present; the repository is a functional exploit.

This repository contains a Python exploit script (exploit.py) targeting CVE-2025-49113, a remote code execution vulnerability in Roundcube Webmail (before 1.5.10 and 1.6.x before 1.6.11). The exploit requires valid user credentials and works by abusing a PHP object deserialization flaw in the upload functionality of the settings module. The script performs the following steps: (1) checks the target's Roundcube version for vulnerability, (2) logs in with provided credentials to obtain session cookies and CSRF tokens, (3) crafts a malicious serialized PHP object containing a system command, and (4) uploads this object as a file to the vulnerable endpoint, triggering command execution on the server. The exploit is operational and allows arbitrary command execution as the web server user. The only code file is exploit.py, written in Python, and the README.md provides usage instructions and a brief vulnerability description. No hardcoded IPs or domains are present; the target URL is supplied by the user.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-49113, a critical remote code execution vulnerability in Roundcube Webmail (versions 1.5.0-1.5.9 and 1.6.0-1.6.10). The exploit leverages insecure PHP object deserialization in the 'upload.php' script, allowing authenticated users to execute arbitrary commands on the server. The main exploit script, 'exp.py', is a Python script that: 1. Checks the target Roundcube version for vulnerability. 2. Authenticates to the webmail interface using provided credentials. 3. Crafts a serialized PHP object payload that, when deserialized by the server, executes a base64-encoded shell command. 4. Uploads the payload to the vulnerable 'upload.php' endpoint using a multipart/form-data POST request. The exploit requires valid user credentials and network access to the Roundcube web interface. The repository contains standard support files (README, LICENSE, requirements.txt) and a single exploit script. No fake or destructive code is present; the exploit is a functional PoC for educational and testing purposes.

This repository contains a PHP exploit for CVE-2025-49113, targeting Roundcube Webmail versions 1.5.0 through 1.6.10. The exploit consists of a single PHP script ('exploit.php') and a README. The script performs the following steps: (1) checks if the target Roundcube instance is vulnerable by parsing its version, (2) logs in using provided credentials to obtain session and CSRF tokens, (3) crafts a malicious serialized PHP object (gadget) that, when deserialized by the server, executes a reverse shell payload, and (4) uploads this gadget as a fake image file to a specific Roundcube settings endpoint. The payload is a hardcoded PHP reverse shell that connects back to the attacker's machine at 10.10.14.82:6666. The exploit requires valid user credentials and network access to the target Roundcube instance. The repository is operational and provides a working exploit with a real payload, but the payload is not easily customizable without editing the code. No framework is used; the code is standalone.

This repository contains a Python proof-of-concept exploit for CVE-2025-49113, a remote code execution vulnerability in Roundcube Webmail versions <=1.5.9 and <=1.6.10. The exploit targets a PHP object injection flaw in the handling of uploaded image filenames, which are unserialized as PHP objects. By crafting a malicious serialized Crypt_GPG_Engine object and uploading it as a filename, the attacker can execute arbitrary shell commands on the server after authentication. The exploit script (CVE-2025-49113.py) automates the process: it checks the target's version, logs in with provided credentials, crafts the payload, and uploads it to the vulnerable endpoint. The README.md provides detailed usage instructions, prerequisites, and background on the vulnerability. The exploit requires valid user credentials and a vulnerable Roundcube instance accessible over the network. No hardcoded endpoints are present; the script takes the target URL as an argument. The code is a functional PoC and does not include advanced features such as payload customization beyond the command argument.

This repository contains a Python exploit (exploit.py) for CVE-2025-49113, a critical PHP object deserialization vulnerability in Roundcube Webmail. The exploit automates the process of authenticating to a Roundcube instance using valid credentials, extracting session cookies and CSRF tokens, and then uploading a specially crafted image file whose filename is a serialized PHP object. This object abuses the Crypt_GPG_Engine class to inject a malicious GPG configuration, which is base64-encoded and, when deserialized by the server, results in arbitrary shell command execution. The exploit requires the attacker to have valid credentials for the target Roundcube instance. The repository consists of a detailed README.md explaining the vulnerability, usage, and technical details, and a single Python script (exploit.py) implementing the exploit logic. The main attack vector is network-based, targeting the web interface of Roundcube. The endpoints involved include the login and file upload routes of the Roundcube application. The payload is a serialized PHP object that triggers code execution via the GPG configuration. The exploit is operational and provides remote code execution capabilities if the target is vulnerable and valid credentials are supplied.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-49113, a post-authentication remote code execution (RCE) vulnerability in Roundcube Webmail versions 1.6.10 and below. The main exploit file, 'CVE-2025-49113.php', is a PHP script that automates the exploitation process: it authenticates to a target Roundcube instance using provided credentials, retrieves a CSRF token and session cookie, crafts a malicious serialized PHP payload, injects it into the application, and triggers its execution to run arbitrary system commands as the web server user. The payload is user-supplied and executed on the target, as demonstrated by the example 'touch /tmp/pwned'. The repository also includes 'rc_install.sh', a Bash script to set up a vulnerable Roundcube environment (version 1.6.10) on Ubuntu 24.04 using Docker, Apache, MariaDB, and Dovecot, facilitating local testing of the exploit. The README provides setup instructions and references to further resources and credits. Key endpoints include the default Roundcube web interface at 'http://roundcube.local/' and 'http://127.0.0.1:9876/' for local testing. The exploit requires valid user credentials (post-auth), and the attack vector is network-based, targeting the web application over HTTP. The code is a functional PoC, not weaponized, and is intended for research and educational purposes.

This repository contains a Python exploit (exploit.py) targeting CVE-2025-49113, a remote code execution vulnerability in Roundcube Webmail (versions <=1.5.9 and 1.6.0–1.6.10) via PHP object deserialization using a crafted .phar file. The exploit requires a valid authenticated session (SESSIONID) for the target Roundcube instance. The tool supports uploading a malicious .phar payload to the server and then triggering the vulnerability by accessing a specially crafted URL that causes the server to deserialize the payload, resulting in arbitrary command execution. The exploit script provides options to upload the payload, guess common file paths, or use a user-supplied path for the payload. The README.md provides detailed usage instructions in both Vietnamese and English. The repository is structured with a single exploit script and a README, and is operational, requiring the attacker to generate a .phar payload (e.g., with phpggc) and supply a valid session cookie.

This repository provides a fully functional exploit for CVE-2025-49113, a remote code execution vulnerability in Roundcube Webmail (versions 1.5.0-1.5.9 and 1.6.0-1.6.10). The exploit targets a logic flaw in the session parser that allows insecure deserialization of PHP objects, enabling authenticated attackers to execute arbitrary system commands on the server. The repository contains four files: a README with detailed usage and vulnerability information, a Python exploit script (roundcube_exploit.py), a PHP script (generate_gadget.php) for generating the serialized payload, and a requirements.txt for Python dependencies. The exploit requires valid Roundcube credentials and uses the Python script to automate login, version checking, payload generation (via the PHP script), and exploitation by sending the malicious payload to a vulnerable endpoint. The main attack vector is network-based, requiring access to the Roundcube web interface. The exploit is operational, providing real command execution on the target server.

This repository contains a working exploit for CVE-2025-49113, a remote code execution vulnerability in Roundcube Webmail (versions 1.5.0 through 1.6.10). The exploit is implemented in a single PHP script (CVE-2025-49113.php) and is accompanied by a detailed README.md. The exploit requires valid Roundcube credentials and targets the webmail's deserialization vulnerability to achieve arbitrary command execution on the server. The PHP script performs the following steps: 1. Checks if the target Roundcube instance is running a vulnerable version by parsing the version from the web interface. 2. Authenticates to the target using provided credentials, handling session and CSRF tokens. 3. Crafts a malicious PHP object (gadget) that, when deserialized by the server, executes a user-supplied shell command. 4. Uploads a PNG image with the malicious gadget as the filename to a specific file upload endpoint, triggering the vulnerability. The exploit is operational and allows the attacker to execute arbitrary commands as the web server user. The main endpoints involved are the base URL, the login endpoint, and a crafted file upload endpoint. The repository is well-structured, with clear separation between exploit code and documentation, and is intended for use by penetration testers or researchers with permission to test the target system.

This repository contains a PHP exploit script (rc-exploit.php) targeting CVE-2025-49113 in Roundcube Webmail. The exploit requires the attacker to provide the target URL, the file system path for the webshell, and valid Roundcube user credentials. The script performs a four-step process: (1) obtaining a CSRF token and session cookie, (2) authenticating with the provided credentials, (3) saving the authenticated session, and (4) exploiting the vulnerability to upload a PHP webshell to the specified path on the server. The webshell allows remote command execution via HTTP requests. The exploit is operational, providing a working payload and automating the attack steps, but it is not part of a larger framework. The repository includes a README and the main exploit script, with the latter containing all logic for authentication, session management, and exploitation. The script interacts with the target over HTTP and writes files to the local and remote file systems.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-49113, a critical PHP object deserialization vulnerability in Roundcube Webmail (versions prior to 1.5.10 and 1.6.11). The exploit consists of a single PHP script (exploit.php) that crafts a serialized object payload (EvilObject) and sends it to the vulnerable /settings/upload.php endpoint via a specially constructed URL. The payload leverages the __destruct method to write a file (test_poc.txt) with a timestamp to the server, demonstrating arbitrary code execution. The exploit requires a valid authenticated session (roundcube_sessid cookie) and a writable target directory. The repository also includes a detailed README.md explaining the vulnerability, exploitation steps, and mitigation recommendations. No detection scripts or fake code are present; the exploit is a functional PoC demonstrating the vulnerability's impact.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-49113, a post-authentication remote code execution (RCE) vulnerability in Roundcube Webmail versions 1.6.10 and earlier. The main exploit file, 'CVE-2025-49113.php', is a standalone PHP script that targets a running Roundcube instance. It requires valid user credentials and a target URL, and leverages insecure PHP object deserialization to achieve arbitrary command execution on the server. The exploit flow involves authenticating to the webmail, crafting a serialized payload, injecting it, and triggering its execution. The repository also includes a Bash script ('rc_install.sh') to set up a vulnerable Roundcube environment for testing, and a README with usage instructions and mitigation advice. The exploit is network-based, targeting HTTP endpoints, and demonstrates the ability to execute arbitrary commands, such as reading sensitive files or creating new files on the server. No framework is used; the exploit is a standalone PoC.