I have 3 Debian12 systems running ISPCONFIG 3.2.11p2 (and this has been working great btw). One of my clients tech guys recently did a scan and provided me with this info: Our security monitoring has detected that the Roundcube Webmail service hosted at your end (IP: a.b.c.d, endpoint: /webmail) is potentially vulnerable to a critical remote code execution flaw — CVE-2025-49113. This vulnerability affects Roundcube Webmail versions prior to 1.5.10 and 1.6.11. It allows authenticated users to execute arbitrary code on the server via a deserialization issue in the _from parameter within program/actions/settings/upload.php. Risk: Exploitation of this vulnerability could allow attackers to gain unauthorized access to the underlying server, compromise hosted email data, and execute arbitrary code, resulting in data breaches or operational disruption. Action Required: Please review and address this issue: Patch/Upgrade Roundcube to version 1.5.10 or 1.6.11 (depending on your deployment branch). It looks like my 3 servers are using Roundcube webmail 1.6.5 Each month I run: apt-get update && apt-get upgrade on all 3 servers. What is the recommended way to upgrade Roundcube? Thank you for your help.
Debian Security Tracker says that exploit is fixed in the Roundcube version Debian 12 is running. My guess is the security monitor just checks version number of Roundcube, not whether the version is vulnerable to CVE-2025-49113. https://security-tracker.debian.org/tracker/CVE-2025-49113 Check with command Code: apt policy roundcube what version of roundcube is installed. If it is 1.6.5+dfsg-1+deb12u5 you are good.
I get: root@dev:~# apt policy roundcube roundcube: Installed: 1.6.5+dfsg-1+deb12u5 Candidate: 1.6.5+dfsg-1+deb12u5 Version table: *** 1.6.5+dfsg-1+deb12u5 500 500 http://deb.debian.org/debian bookworm/main amd64 Packages 500 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages 100 /var/lib/dpkg/status
