Please update your Roundcube to address CVE-2025-49113

Community Support Mail
1

Hello, good afternoon. We received a report from one of our clients about a possible vulnerability in Roundcube affecting versions < 1.5.10 and 1.6.0–1.6.10.
Issue link: CVE-2025-49113 – Post-Auth Remote Code Execution in Roundcube via PHP Object Deserialization.

CVE‑2025‑49113 – Post‑Auth Remote Code Execution in Roundcube via PHP Object Deserialization

2

Hestia allready updated to 1.6.11

1 Like
3

I need some help

My /usr/local/hestia/install/upgrade/upgrade.conf file has:

# Set version of RoundCube (Webmail) to update during upgrade if not already installed
# Note: only applies to "non-apt installs >= 1.4.0 or manually phased out"
rc_v='1.6.11'

I run the update command:

But it doesn’t update—Roundcube stays on version 1.6.8.

Any idea why the rc_v value isn’t being applied or how to force the update to 1.6.11?

4

Roundcube 1.6.11 Update Guide - Complete Step-by-Step

:warning: Important Warning: Don’t trust the automatic file updates to resolve everything magically. Always verify that your version is actually updated to 1.6.11 after following these steps.

Prerequisites

  • Root or sudo access to your server
  • Basic command line knowledge
  • Roundcube installation (typically in /var/lib/roundcube/)

Step-by-Step Update Process

1. Create Backups (CRITICAL!)

Backup your files:

bash

cp -R /var/lib/roundcube/ /var/lib/roundcube_backup/

Backup your database:

bash

mysqldump --add-drop-table roundcube > ~/roundcube_backup.sql

2. Configure PHP CLI Settings

Edit PHP CLI configuration:

bash

vim /etc/php/8.2/cli/php.ini

Remove system from disable_functions line (you’ll need to find this setting in the file and remove “system” from the list)

3. Download and Install Roundcube 1.6.11

Download the latest version:

bash

cd /tmp
wget https://github.com/roundcube/roundcubemail/releases/download/1.6.11/roundcubemail-1.6.11-complete.tar.gz

Extract the archive:

bash

tar -xzf roundcubemail-1.6.11-complete.tar.gz
cd /tmp/roundcubemail-1.6.11/

Install to your Roundcube directory:

bash

./bin/installto.sh -y /var/lib/roundcube/

4. Fix Permissions

Set correct ownership:

bash

chown -R hestiamail:hestiamail /var/lib/roundcube/
chown -R hestiamail:hestiamail /etc/roundcube/

Set correct file permissions:

bash

find /etc/roundcube/ -type f -iname "*.php" -exec chmod 640 {} \;

5. Restore PHP Configuration

Re-add system to disable_functions in /etc/php/8.2/cli/php.ini for security.

6. Verify Installation

After completing these steps, verify that:

  • Roundcube is accessible via web browser
  • Version shows as 1.6.11 in the admin panel
  • All functionality works as expected

Troubleshooting Tips

  • If you encounter issues, restore from your backups and try again
  • Check web server error logs if the interface doesn’t load
  • Ensure all file permissions are correct
  • Verify database connectivity after the update

Notes

  • This guide assumes you’re using HestiaCP (based on the hestiamail user)
  • Adjust paths and users according to your specific setup
  • Always test in a staging environment first if possible
5

This would work too. Same.

6

Remove system from disable_functions line (you’ll need to find this setting in the file and remove “system” from the list)

That was probably the issue

7

I thought it was that too. I had removed it and tried the standard update commands, but unfortunately it didn’t work in my case :frowning:

But thank you.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.