Patching Guidance
Due to a vulnerability in Roundcube, both Plesk and cPanel require an update, which should be automatically picked up. However, users are recommended to force the update through. If you need assistance, please get in touch by visiting https://hostinguk.net/supportservices.php
- Plesk – https://support.plesk.com/hc/en-us/articles/32537488344343-CVE-2025-49113-Vulnerability-in-Roundcube-on-Plesk-servers
- cPanel –https://docs.cpanel.net/knowledge-base/general-systems-administration/how-to-update-your-system
Why cPanel and Plesk Must Urgently Patch Against CVE-2025-49113
In the ever-evolving landscape of cybersecurity, vigilance is not optional—it’s essential. The recent disclosure of CVE-2025-49113, a critical vulnerability in Roundcube Webmail, underscores this reality. Affecting versions prior to 1.5.10 and 1.6.11, this flaw allows remote code execution (RCE) by authenticated users, posing a significant threat to hosting environments that rely on Roundcube—most notably, cPanel and Plesk.
What Is CVE-2025-49113?
CVE-2025-49113 is a remote code execution vulnerability that exploits a flaw in Roundcube’s handling of user input. It allows authenticated users to execute arbitrary code on the server, potentially leading to full system compromise. This vulnerability has existed for over a decade and was only patched in June 2025
Why It Matters for cPanel and Plesk Users
Both cPanel and Plesk integrate Roundcube as their default webmail client. This means that unless patched, any server running these control panels is potentially exposed. The implications are severe:
- Data Breach Risk: Attackers could access sensitive customer emails and credentials.
- System Compromise: Exploitation could lead to full control of the server.
- Reputation Damage: Hosting providers risk losing customer trust if breaches occur.
Final Thoughts
CVE-2025-49113 is a stark reminder of the importance of timely patching and proactive security management. For hosting providers and IT teams, the message is clear: patch now, or risk exposure. With both cPanel and Plesk offering clear remediation paths, there’s no excuse for delay.