Detect RoundCube Webmail Deserialization of Untrusted Data (CVE-2025-49113) in Microsoft Sentinel
CVE-2025-49113 is an actively exploited deserialization of untrusted data vulnerability (CWE-502) in Roundcube Webmail. When exploited, an attacker can send a specially crafted serialized PHP object via the web interface, leading to remote code execution on the underlying server. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and requires immediate patching to versions 1.5.10 or 1.6.11.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
KQL Detection Query
union
(
CommonSecurityLog
| where DeviceVendor =~ "Apache" or DeviceProduct has_any ("roundcube", "webmail")
| where RequestURL has_any ("/index.php", "/_task=mail", "/_action=show")
| where RequestURL matches regex @"(O:\d+:|a:\d+:|s:\d+:)"
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, RequestMethod, AdditionalExtensions
),
(
W3CIISLog
| where csUriStem has_any ("/index.php", "/roundcube")
| where csUriQuery matches regex @"(O%3A|a%3A|s%3A|O:\d+:|a:\d+:)"
| project TimeGenerated, sSiteName, csMethod, csUriStem, csUriQuery, cIP, scStatus
),
(
AuditLogs
| where OperationName has "PHP" or TargetResources has "roundcube"
)
| where TimeGenerated > ago(7d)
| extend SuspiciousPayload = iff(RequestURL matches regex @"(O:\d+:|a:\d+:|s:\d+:)" or csUriQuery matches regex @"(O%3A|a%3A|s%3A)", true, false)
| where SuspiciousPayload == true
| summarize Count=count(), DistinctPaths=make_set(RequestURL), DistinctSources=make_set(SourceIP) by bin(TimeGenerated, 1h), SourceIP
| where Count > 1Detects HTTP requests to Roundcube Webmail endpoints containing PHP serialized object patterns (O:, a:, s: prefixes) in URLs or query strings, indicative of CVE-2025-49113 deserialization exploitation attempts.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate PHP applications that include serialized data in URL parameters for state management
- Web Application Firewall testing or security scanning tools probing for deserialization vulnerabilities
- Automated vulnerability scanners (Nessus, Qualys, Rapid7) running authenticated scans against Roundcube
- Custom integrations or plugins that pass serialized PHP objects through URL parameters by design
Other platforms for CVE-2025-49113
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Roundcube Deserialization Probe via GET Parameter
Expected signal: HTTP GET request to Roundcube /index.php with O%3A in query string captured in web access logs; PHP error log may show unserialize() invocation
- Test 2Roundcube POST Body Deserialization with Crafted Object
Expected signal: POST request to Roundcube /index.php with serialized object in body captured by WAF or proxy; PHP error log records unserialize call or type error
- Test 3Web Shell Drop via Simulated Roundcube RCE
Expected signal: File creation event in Roundcube web root (inotify/auditd/EDR file write event); new .php file with non-standard name in web root directory
- Test 4Outbound Reverse Shell from PHP Process (Post-Exploitation Simulation)
Expected signal: Process creation event: www-data spawning bash with /dev/tcp redirect; outbound TCP connection from web server worker to port 4444; EDR network connection alert for web process initiating outbound shell
Unlock Pro Content
Get the full detection package for CVE-2025-49113 including response playbook, investigation guide, and atomic red team tests.