RoundCube Webmail Deserialization of Untrusted Data (CVE-2025-49113)

union
  (
    CommonSecurityLog
    | where DeviceVendor =~ "Apache" or DeviceProduct has_any ("roundcube", "webmail")
    | where RequestURL has_any ("/index.php", "/_task=mail", "/_action=show")
    | where RequestURL matches regex @"(O:\d+:|a:\d+:|s:\d+:)"
    | project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, RequestMethod, AdditionalExtensions
  ),
  (
    W3CIISLog
    | where csUriStem has_any ("/index.php", "/roundcube")
    | where csUriQuery matches regex @"(O%3A|a%3A|s%3A|O:\d+:|a:\d+:)"
    | project TimeGenerated, sSiteName, csMethod, csUriStem, csUriQuery, cIP, scStatus
  ),
  (
    AuditLogs
    | where OperationName has "PHP" or TargetResources has "roundcube"
  )
| where TimeGenerated > ago(7d)
| extend SuspiciousPayload = iff(RequestURL matches regex @"(O:\d+:|a:\d+:|s:\d+:)" or csUriQuery matches regex @"(O%3A|a%3A|s%3A)", true, false)
| where SuspiciousPayload == true
| summarize Count=count(), DistinctPaths=make_set(RequestURL), DistinctSources=make_set(SourceIP) by bin(TimeGenerated, 1h), SourceIP
| where Count > 1

index=web OR index=proxy OR index=waf sourcetype IN (access_combined, iis, apache:access, nginx:plus:kv)
| where (uri_path IN ("/index.php", "/roundcube/index.php") OR uri_path LIKE "%roundcube%")
| eval serialized_in_uri=if(match(uri_query, "(O%3A|a%3A|s%3A|O:\\d+:|a:\\d+:|s:\\d+:)"), 1, 0)
| eval serialized_in_body=if(match(_raw, "(O:\\d+:\\"[a-zA-Z]+\"|a:\\d+:\\{|s:\\d+:\\")"), 1, 0)
| where serialized_in_uri=1 OR serialized_in_body=1
| eval attack_stage=case(
    match(uri_query, "_action=show"), "mail-read-exploitation",
    match(uri_query, "_task=mail"), "mail-task-exploitation",
    match(uri_query, "_action=upload"), "upload-exploitation",
    true(), "generic-deserialization"
  )
| stats count AS request_count, values(uri_path) AS paths, values(uri_query) AS queries, dc(src_ip) AS unique_sources BY src_ip, attack_stage, host
| where request_count >= 1
| sort -request_count

sequence by source.ip with maxspan=5m
  [network where event.category == "network" and
   destination.port in (80, 443, 8080, 8443) and
   url.path like~ "*roundcube*" and
   (
     url.query like~ "*O%3A*" or
     url.query like~ "*a%3A*" or
     url.query like~ "*s%3A*" or
     http.request.body.content like~ "*O:[0-9]*:*" or
     http.request.body.content like~ "*a:[0-9]*:{*"
   )
  ]
  [process where event.category == "process" and
   process.parent.name in ("apache2", "httpd", "nginx", "php", "php-fpm") and
   process.name not in ("php", "php-fpm", "apache2", "httpd") and
   (
     process.name in ("sh", "bash", "dash", "curl", "wget", "python", "python3", "perl", "ruby") or
     process.args like~ "*nc *" or
     process.args like~ "*ncat*" or
     process.args like~ "*/dev/tcp/*"
   )
  ]

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  URL,
  "HTTP Method",
  "HTTP Response Code",
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Apache HTTP Server', 'Nginx', 'Microsoft IIS', 'Juniper SRX', 'Palo Alto PA Series')
  AND (
    URL ILIKE '%roundcube%'
    OR URL ILIKE '%/index.php%'
  )
  AND (
    URL ILIKE '%O%3A%'
    OR URL ILIKE '%a%3A%'
    OR URL ILIKE '%s%3A%'
    OR PAYLOADBYTES(payload, 500) ILIKE BINARY '%O:[0-9]%:%'
    OR PAYLOADBYTES(payload, 500) ILIKE BINARY '%a:[0-9]%:{%'
  )
  AND LOGSOURCEID > 0
  AND starttime > NOW() - 604800000
ORDER BY starttime DESC
LIMIT 1000

_sourceCategory=web/access OR _sourceCategory=proxy OR _sourceCategory=waf
| parse regex "(?<src_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) .* \"(?<method>GET|POST|PUT|PATCH) (?<uri>\\S+) HTTP" nodrop
| where uri matches "*roundcube*" or uri matches "*/index.php*"
| where uri matches "*O%3A*" or uri matches "*a%3A*" or uri matches "*s%3A*"
  OR _raw matches "O:[0-9]+:\\"" OR _raw matches "a:[0-9]+:{"
| eval deserialization_payload = if(uri matches "*O%3A*" OR uri matches "*a%3A*", "url_encoded", "body_encoded")
| count as hit_count, values(uri) as request_uris by src_ip, method, deserialization_payload
| where hit_count >= 1
| sort by hit_count desc

rule roundcube_deserialization_cve_2025_49113 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects PHP deserialization exploitation attempts against Roundcube Webmail (CVE-2025-49113)"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-49113"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1190"

  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    $req.target.url.path = /.*roundcube.*/ nocase or
    $req.target.url.path = "/index.php" nocase
    (
      $req.target.url.query = /O%3A[0-9]+%3A/ nocase or
      $req.target.url.query = /a%3A[0-9]+%3A/ nocase or
      $req.target.url.query = /s%3A[0-9]+%3A/ nocase or
      $req.network.http.request_body = /O:[0-9]+:"[a-zA-Z]+"/ nocase or
      $req.network.http.request_body = /a:[0-9]+:\{/ nocase
    )

  condition:
    $req
}

#event_simpleName IN (NetworkConnectIP4, NetworkConnectIP6, HttpRequest)
| $HttpRequest.RequestURL = /roundcube|index\.php/i
| $HttpRequest.RequestURL = /(O%3A|a%3A|s%3A|O:[0-9]+:|a:[0-9]+:|s:[0-9]+:)/i
OR
(
  #event_simpleName = ProcessRollup2
  | ParentBaseFileName IN ("php", "php-fpm", "apache2", "httpd", "nginx")
  | FileName IN ("sh", "bash", "dash", "curl", "wget", "python3", "python", "perl")
  | CommandLine = /(nc |ncat|netcat|\/dev\/tcp|base64 -d|echo.*\|.*sh)/i
)
| groupBy([ComputerName, UserName, FileName, CommandLine, $HttpRequest.RequestURL], function=count(1, as=EventCount))
| sort(EventCount, order=desc)