CVE‑2025‑49113 is a post‑authentication remote‑code‑execution flaw that sat unnoticed in Roundcube’s code for ten years. A public proof‑of‑concept was released on 2 June 2025 and, within days, Shadowserver scans showed 84,000+ internet‑facing Roundcube servers still running vulnerable builds. Active exploitation has already been confirmed, prompting CISA to add the bug to its Known Exploited Vulnerabilities (KEV) catalogue on 10 June 2025.

What exactly happened?

The bug is a classic PHP object‑deserialisation issue: an attacker who already has valid web‑mail credentials (easy to buy or phish) can send a crafted request that unserialises a malicious payload, leading to arbitrary code execution under the web‑server account. Because Roundcube ships embedded in cPanel, Plesk, DirectAdmin, ISPConfig and countless shared‑hosting images, the blast radius is huge.

Exploitation in the wild

Security‑weeklies and incident responders have already tied opportunistic smash‑and‑grab compromises to the PoC. In parallel, APT28 and other state‑linked actors—who historically weaponised Roundcube XSS bugs—have shifted to the new RCE for higher‑value espionage targets.

Shadowserver’s week‑long telemetry shows the vulnerable population falling only slowly from ~85 k to ~71 k hosts—a sign that many admins have not yet rolled out patches.

Zoom‑in: what does this mean for Nigeria?

1. High exposure through reseller hosting
   Most Nigerian web‑hosts (TrueHost, WhoGoHost, QServers, DomainKing, etc.) rent cPanel/WHM boxes in US or EU data‑centres. Until those upstream providers push cPanel 118.0.46+ or 128.0.9+ (which bundle Roundcube 1.6.11), every shared domain on those servers remains exploitable—even if the local hoster has no direct root access.
2. Government & SME installations
   We have already observed federal sub‑domains such as webmail.customs.gov.ng running Roundcube (version banner hidden, but build date 4 Jun 2025 predates the patch). Similar on‑prem Roundcube instances are common in universities, state agencies and fintech start‑ups.
3. Estimated footprint
   Nigeria represents roughly 0.7 % of global Roundcube exposure according to Shadowserver’s country‑level tree‑map (~550–600 IPs on any given day). That may sound small, but the concentration in a few large hosting ASNs means a single compromised VPS node could cascade into thousands of mailboxes.
4. Regulatory silence (so far)
   As of 19 June 2025, ngCERT has not issued a dedicated advisory, so many smaller providers may be unaware of the urgency.

Immediate actions for Nigerian hosts & admins

SiteHUB’s own infrastructure was patched on 18th June 2025 and is running Roundcube 1.6.11, so customers with us are already protected.

Closing thoughts

CVE‑2025‑49113 is not “just another Roundcube XSS.” It is a full RCE lurking in millions of shared‑hosting email inboxes, weaponised within 48 hours of disclosure. Nigeria’s heavy dependence on foreign shared‑hosting makes the local ecosystem particularly slow to patch—yet the fix is literally a one‑line yum update. If you manage any cPanel or self‑hosted Roundcube instance and haven’t rebooted it since 1 June 2025, treat it as compromised until proven otherwise.

Stay safe, patch early, patch often!