Roundcube Webmail
PHP webmail front-end. A recurring CTF target thanks to SSTI/RCE and deserialization CVEs; the config file holds the IMAP/SMTP host, the DB DSN and the des_key used to encrypt stored passwords.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | HTTP |
443 | tcp | HTTPS |
Fingerprint
- Login at /, 'Roundcube Webmail' branding; version in /CHANGELOG or page source
- Often behind a /roundcube or /mail path
Key files
| Path | Holds | Sensitive |
|---|---|---|
config/config.inc.php | IMAP/SMTP host, db_dsnw (DB creds), des_key | sensitive |
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2025-49113 | Authenticated PHP object deserialization RCE (Roundcube < 1.5.10 / 1.6.x) |
| CVE-2020-12641 | RCE via rcube_config option injection |
| CVE-2020-35730 | Stored XSS in plain-text message handling |
Exploitation primitives
- Phish/loot valid mailbox creds, then read mail for further credentials and internal hosts
- CVE-2025-49113: authenticated deserialization → RCE as the web user
- Read config.inc.php for the DB DSN and des_key (decrypts stored account passwords)
Overview
Roundcube is a PHP webmail client. Two angles: it’s a credential trove (mailboxes + the config’s DB/IMAP secrets) and it has a steady stream of RCE CVEs — always check the version first.
Authenticated RCE (CVE-2025-49113)
With a valid login, the deserialization PoC returns a shell:
python3 CVE-2025-49113.py http://<TARGET> user@target password 'id'Loot the config
cat config/config.inc.php | grep -E "db_dsnw|des_key|default_host"The des_key decrypts the IMAP password stored in the session/DB.
Hardening
Patch Roundcube, enforce strong mailbox passwords + 2FA, restrict the install path, and protect config.inc.php.