CVE-2025-49113 Vulnerability in Roundcube on Plesk servers

Vincent Lauton

Updated June 06, 2025 19:39

Plesk for Linux kb: technical kb: security

Applicable to:

Plesk for Linux

Situation

The vulnerability CVE-2025-49113, which allows remote code execution by authenticated users, has been discovered in Roundcube.

Impact

Roundcube Webmail versions lower than 1.5.10 and 1.6.11 are affected.

Resolution

Install the latest Plesk updates to patch this vulnerability: How to upgrade Plesk to the next release

To deliver the patch as quickly as possible, Plesk backported it to 1.6.10 and 1.4.15. To make sure the patched version is installed, check the build number by running this command:

# (p=$(rpm -qa 2>/dev/null || dpkg -l 2>/dev/null) && echo "$p" | grep -i roundcube | grep -oE '[0-9]{6}' | while read v; do [ "$v" -lt 250601 ] && echo "Roundcube is not patched. Update Plesk" || echo "The patched Roundcube version is already installed"; done)

If an update is not possible, patch manually

Note: These patches were not tested with Roundcube versions earlier than 1.4.x and 1.6.x

Roudcube Webmail 1.6.10

Download the patch to the server:

# wget https://support.plesk.com/hc/en-us/article_attachments/32537223826583/patch-roundcube-1.6.10-CVE-2025-49113
Apply it by running:

# patch -p1 -d /usr/share/psa-roundcube < patch-roundcube-1.6.10-CVE-2025-49113

Roundcube Webmail 1.4.15 (CentOS 7 and Ubuntu 18)

Download the patch to the server:

# wget https://support.plesk.com/hc/en-us/article_attachments/32537223821463/patch-roundcube-1.4.15-CVE-2025-49113
Apply it by running:

# patch -p1 -d /usr/share/psa-roundcube < patch-roundcube-1.4.15-CVE-2025-49113

Related to

kb: technical

patch-roundcube-1.4.15-CVE-2025-49113
(2 KB)
patch-roundcube-1.6.10-CVE-2025-49113
(2 KB)

Comments

4 comments

B Pfl
June 05, 2025 14:07

According to the CVE entry, only version 1.6.11 fixes this. In contrast, https://docs.plesk.com/release-notes/obsidian/change-log/ claims that the included update to 1.6.10 already solves this. Seems rather confusing.

0
Jon Doe
June 06, 2025 13:19

The update installs “1.6.10-v.debian.12+p18.0.69.4+t250603.2043” (.4 instead of .3 before). This doesn't clearly state if the version is safe, quite the opposite actually. Plesk Please release version 1.6.11

1
Anton Maslov
June 06, 2025 17:09

Hi, thank you for bringing this to our attention. While Roundcube version 1.6.11 includes multiple changes, to deliver the security update to our clients as quickly as possible, we chose to backport the fix to versions 1.6.10 and 1.4.15 instead.

0
Esteve Castelló Bernal
June 11, 2025 19:03

After upgrading Plesk to 18.0.70-v.ubuntu.24.04 , in Plesk/Tools and Settings/Plesk Components I see roundcube 1.6.10-v.ubuntu.24.04+p18.0.70.1 , so this version would already be patched. Is this correct?

0

Please sign in to leave a comment.