Roundcube: CVE-2025-49113 Room

Welcome to the Roundcube: CVE-2025-49113 Room on Try Hack Me!

This walkthrough for the Roundcube: CVE-2025-49113 Room on TryHackMe is for educational purposes only. The author assumes no responsibility for any misuse or damage resulting from the use of this walkthrough. Unauthorized use of systems you do not own or have explicit permission to test is illegal and strictly prohibited.

This room focuses on the vulnerability CVE-2025-49113, which was recently discovered and is listed on NVD. It has a severity score of 9.9 and is categorized as Critical.

The Vector provided on NVD : Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

This vector simply states that:

Attack Vector: Network - This simply means that this vulnerability can easily be exploited over the network (by remote users), which is also the reason why any threat actor with credentials can perform RCE. AV being on the network is a serious issue.

Attack Complexity: Low - From the metric and value associated with it is self-understood that the threat actor does not need to perform any complex operation or need a race condition to exist in order to get access to the host system. Having attack complexity as low is a serious red flag, as it means how easy it is to exploit this vulnerability.

Privileges Required: Low - From the metric and value associated with it is self-understood that the threat actor does require basic user privileges to exploit this vulnerability. Having privileges required as low is a serious issue, as obtaining user privileges is not that difficult if the threat actor gets their hands on user credentials if any additional security controls like Multi-factor authentication aren’t in place.

User Interaction: None - This is because the threat actor does not need any user interaction for the exploit to work. Obtaining user credentials is another thing that may require user interaction if done via phishing, where the user might need to click on the link. Having user interaction as None is a serious concern, as if it were the other way round, we might reduce the success of the exploit by user awareness.

Scope: Changed - The scope is changed because exploiting the vulnerability lets a threat actor move from normal user permissions in the Roundcube web application to arbitrary code execution on the underlying server. That crosses a security boundary from user-level control to system-level control.

CIA: High - This is obvious as RCE vulnerabilities are always a threat to the Confidentiality, Integrity, and Availability of any system.

This room revolves around the concept of serialisation and deserialisation, so it is better to get these concepts cleared before starting the room.

Alright, let’s get started!

TASK 1: Introduction —> Self-Explanatory

TASK 2: Technical Background

You can definitely read from this task to know about the technical details. But here is what I understand by the terms serialisation and deserialisation, and I will try my best to explain it in simple terms to anyone who is new to this concept.

Serialisation in simple terms means converting an Object or a Data structure to a string so that it can be stored or sent over the network with the aim of saving complex data structures easily and reconstructing them as required.

Deserialisation is nothing but the reverse of the process of serialisation, with the aim of getting back the Object / Data Structure from the string.

This vulnerability arises due to the potential absence of input validation for the _from property in the upload.php, which makes it easy to deserialise any malicious serialised input provided by the threat actor.

TASK 3: Exploitation

Before following the steps mentioned, I first tried to check if Metasploit has any RoundCube exploit available in its exploit database. But unfortunately, it just pointed out one exploit that was disclosed in 2017. Therefore, we couldn’t use Metasploit directly here.

So, I began following the steps mentioned to exploit this vulnerability with the available exploit using the provided username and password.

This exploit code crafts a malicious serialized PHP Object and performs a POST request on the vulnerable endpoint, which, when run on the server side, provides us with shell access.

1. One of the users has the first name of Maggie; what is her last name?

After getting access to the shell, I knew that the list of users is stored in the /etc/passwd

cd /etc/passwd | grep -i maggie

We get the desired user using this command.

2. What is the value of the flag saved in /etc?

This one is simple, and as always, it can be found in flag.txt

It was a very simple room, but it had some important concepts that reinforced the importance of secure coding.

Congratulations on completing this room! 🎉

Professional Analysis

Detection & Impact

Code reviews are a critical part of the Secure Software Development Lifecycle (SSDLC), helping identify vulnerabilities early in the development process. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools provide an additional layer of defense by automatically detecting these types of security flaws. Neglecting such security testing can result in severe vulnerabilities, including Remote Code Execution (RCE), which attackers can exploit to gain unauthorized access to the host system, ultimately threatening the confidentiality, integrity, and availability of data.

Real-World Application

Companies apply the Zero Trust principle by ensuring all user inputs are validated, regardless of user authentication. In practice, this means adding thorough input validation checks during code reviews, supported by automated security scanning tools in CI/CD pipelines. These measures help prevent critical vulnerabilities such as insecure deserialization that can lead to Remote Code Execution on production systems.

Security Implications

Exploiting vulnerabilities like insecure deserialization can lead to severe consequences, such as Remote Code Execution, giving attackers control over the server and access to sensitive data. From a business perspective, this compromises the confidentiality, integrity, and availability of critical systems, potentially resulting in data breaches, regulatory fines, reputational damage, and loss of customer trust. Such incidents can disrupt operations, incur legal liabilities, and lead to significant financial losses, underscoring the importance of proactive security measures throughout the software development lifecycle.