The following blog post is based on our June H2 Vulnerability Insights Report. TeamT5 Vulnerability Research Team is dedicated to providing timely mitigation and response guidelines to critical vulnerabilities. Contact us for more information about our vulnerability intelligence.
Active Exploitation of CVE-2025-49113 in Roundcube Webmail
TeamT5 has detected that a critical vulnerability (CVE-2025-49113) in Roundcube Webmail was actively exploited by China-nexus APT group CamoFei. The earliest exploitation can be traced back to April 2025. CamoFei deployed webshell and malware after successful exploitation, including open-source webshell Godzilla and shared RAT Pupy. The victims included educational institutions in Taiwan and government agencies in Pakistan and Myanmar.
We conclude the attacks in Exploitation Status below.
Executive Summary
We assess the severity level of CVE-2025-49113 as critical and urge our customers to use this report to mitigate the effects. CVE-2025-49113 is a post-authentication PHP object deserialization vulnerability with a CVSS score of 9.9. Threat actors with compromised Roundcube Webmail account can exploit CVE-2025-49113 to achieve remote code execution and implant malware.
Roundcube released the patch for CVE-2025-49113 on June 1, 2025.[1] Similarly, public report[2] with root cause analysis and Proof-of-Concept[3] of the vulnerability was circulated in the wild. The vulnerability affected Roundcube Webmail prior to
1.6.11 or 1.5.10. As of June 21, our research suggests that there are more than 8,000 Roundcube Webmail devices are vulnerable to CVE-2025-49113 in APAC region, including over 4,000 devices in Japan, 2,500 devices in Singapore, and hundreds of devices in Taiwan, South Korea, and Vietnam.Based on our investigation and the current exploitation status of CVE-2025-49113, we depicted the Forensic Artifacts in this report. We also concluded the malware and IoC in Appendix I: Malware Table and Appendix II: Indicators of Compromise (IoC). Most importantly, we prepare a comprehensive Mitigation and Response Advisory for our customers.
The Mitigation and Response Advisory includes:
- Official Information
- Threat Hunting Tools: Vulnerability Scanner.
Exploitation Status
CVE-2025-49113 has been actively exploited by China-nexus APT group CamoFei since April 2025.
- CamoFei exploited the vulnerabilities in attacks against educational institutions in Taiwan and government agencies in Pakistan and Myanmar.
- In the attacks, CamoFei deployed open-source webshell Godzilla[4 & 5] and shared RAT Pupy[6].
- The C2 of the malware is
repos.seuweb.com
Mitigation and Response Advisory
1. Official Information
Threat actors with compromised Roundcube Webmail account can exploit CVE-2025-49113 to achieve remote code execution and implant malware.
Roundcube has released patch for CVE-2025-49113 on June 1 2025. We highly recommend our client and partner to update the Roundcube Webmail devices to version
1.6.11 or 1.5.10.2. Threat Hunting Tools
As of June 21, our research suggests that there are more than 8,000 Roundcube Webmail devices are vulnerable to CVE-2025-49113, including over 4,000 devices in Japan, 2,500 devices in Singapore, and hundreds of devices in Taiwan, South Korea, and Vietnam in APAC region.
Our vulnerability research team prepares a vulnerability scanner for our client and partner to check if your Roundcube devices are vulnerable to CVE-2025-49113.
The vulnerability scanner can be downloaded from Threat Hunting Tools[7].
Forensic Artifacts
Given that CVE-2025-49113 is a post-authentication vulnerability, the threat actors have to first obtain a leak credential of Roundcube Webmail account. Threat actors with compromised Roundcube Webmail account can exploit CVE-2025-49113, which will generate the deserialized payload in apache log.
- The deserialized payload has a format similar to
_from=edit-%21%C0%22%C0%3B%.... - The defaulted path of apache logs is
/var/log/apache2/other_vhosts_access.log. - The log will be as follow:
roundcube.local:80 192.168.1.2 - - [30/Jun/2025:08:01:21 +0000] "GET // HTTP/1.1" 200 37999 "-" "-"
roundcube.local:80 192.168.1.2 - - [30/Jun/2025:08:01:21 +0000] "GET //?_task=logout&_token=Xlh5DX0uGrkcJ7bhEcbyeLfryWgnsndF HTTP/1.1" 200 6068 "-" "-"
roundcube.local:80 192.168.1.2 - - [30/Jun/2025:09:18:22 +0000] "GET // HTTP/1.1" 200 5856 "-" "-"
roundcube.local:80 192.168.1.2 - - [30/Jun/2025:09:18:22 +0000] "POST //?_task=login HTTP/1.1" 302 723 "-" "-"
roundcube.local:80 192.168.1.2 - - [30/Jun/2025:09:18:22 +0000] "POST //?_from=edit-%21%C0%22%C0%3B%C0i%C0%3A%C00%C0%3B%C0O%C0%3A%C01%C06%C0%3A%C0%22%C0C%C0r%C0y%C0p%C0t%C0_%C0G%C0P%C0G%C0_%C0E%C0n%C0g%C0i%C0n%C0e%C0%22%C0%3A%C01%C0%3A%C0%7B%C0S%C0%3A%C02%C06%C0%3A%C0%22%C0%5C%C00%C00%C0C%C0r%C0y%C0p%C0t%C0_%C0G%C0P%C0G%C0_%C0E%C0n%C0g%C0i%C0n%C0e%C0%5C%C00%C00%C0_%C0g%C0p%C0g%C0c%C0o%C0n%C0f%C0%22%C0%3B%C0S%C0%3A%C02%C01%C0%3A%C0%22%C0w%C0h%C0o%C0a%C0m%C0i%C0+%C0%3E%C0+%C0%2F%C0t%C0m%C0p%C0%2F%C0p%C0w%C0n%C0e%C0d%C0%3B%C0%23%C0%22%C0%3B%C0%7D%C0i%C0%3A%C00%C0%3B%C0b%C0%3A%C00%C0%3B%C0%7D%C0%22%C0%3B%C0%7D%C0%7D%C0&_task=settings&_framed=1&_remote=1&_id=1&_uploadid=1&_unlock=1&_action=upload HTTP/1.1" 200 835 "-" "-"Notably, as of June 21, our research suggests that there are more than 8,000 Roundcube Webmail devices are vulnerable to CVE-2025-49113 in APAC region, including over 4,000 devices in Japan, 2,500 devices in Singapore, and hundreds of devices in Taiwan, South Korea, and Vietnam:
| Country | Vulnerable |
|---|---|
| JP | 4087 |
| TW | 416 |
| SG | 2566 |
| KR | 348 |
| VN | 719 |
We therefore highly recommend our client and partner use the vulnerability scanner in Threat Hunting Tools[7] to check if your Roundcube Webmail devices are vulnerable to CVE-2025-49113.
Appendix I: Malware Table
Malware Table introduces the malware mentioned in this report.
| Name | Type | Description | Attribution | First Seen |
|---|---|---|---|---|
| Godzilla | Webshell | Godzilla is an open-source webshell which has been used by different cyber-espionage and cyber-crime actors, especially the Chinese actors. Godzilla webshell is often used after actors successfully exploit web vulnerabilities and compromise the web server. | Open-source | 2020.01 |
| Pupy | RAT | Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory. | Shared | 2015.01 |
Appendix II: Indicators of Compromise (IoC)
repos.seuweb.com
68e8083b9dbbfdaf6a59f9edede4febd20f88eba3eb0ea8bb8046d96411d450b
a59e93bf140192089d30f676285d96204f07ca21550aca4d0ca33ba9697c161b
84771d855307aaee497ad14b5b56189235bd88f56cc654cab32ecabde2f56dfbAppendix III: Other critical CVEs
Patch Management Report (PMR). Published every week (or more), the PMR will provide our customers with concise yet comprehensive updates on the most critical and exploitable vulnerabilities selected by TeamT5 vulnerability research team during the period. Each vulnerability will be provided with patch information. If you are interested in subscribing to this new report series, please contact TeamT5 for more information.*
[1] Security updates 1.6.11 and 1.5.10 released https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
[2] Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113] https://fearsoff.org/research/roundcube
[3] Proof of Concept https://github.com/fearsoff-org/CVE-2025-49113/blob/main/CVE-2025-49113.php
[4] SHA-256: 68e8083b9dbbfdaf6a59f9edede4febd20f88eba3eb0ea8bb8046d96411d450b
[5] SHA-256: a59e93bf140192089d30f676285d96204f07ca21550aca4d0ca33ba9697c161b
[6] SHA-256: 84771d855307aaee497ad14b5b56189235bd88f56cc654cab32ecabde2f56dfb
Related Post
ThreatVision Resources
2023.08.06
How ThreatVision Helps Fight Against APTs Through Cyber Threat Intelligence
cyber threat intelligence, ThreatVision