ET WEB_SPECIFIC_APPS Roundcube Post-Auth RCE via PHP Object Deserialization (CVE-2025-49113)

7.0.35.0SID: 2063428Rev: 2Enabled15 views
History
Sourceet/open
Fileemerging-web_specific_apps.rules
CreatedJuly 14, 2025
UpdatedJuly 14, 2026
Classificationweb-application-attack
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Roundcube Post-Auth RCE via PHP Object Deserialization (CVE-2025-49113)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"action|3d|upload"; fast_pattern; content:"_from|3d|"; pcre:"/^[^\x26]*?(?:%[cC]\d)?a-zA-Z?(?:\x3a|%3[aA])(?:(?:%[cC]\d)?\x2b)?(?:(?:%[cC]\d)?\d)+(?:%[cC]\d)?(?:\x3a|%3[aA])(?:(?:(?:%[cC]\d)?[a-zA-Z])?(?:%[cC]\d)?(?:\x3a|%3[aA])(?:(?:%[cC]\d)?\d)+(?:(?:%[cC]\d)?(?:\x3a|%3[aA]))?(?:(?:%[cC]\d)?(?:\x7b|%7[bB]))?|(?:%[cC]\d)?(?:\x22|%22)(?:(?![\x22\x3b\x7b\x7d]|%22|%[37][bB]|%7[dD]).)*(?:%[cC]\d)?(?:\x22|%22)|(?:%[cC]\d)?(?:\x3b|%3[bB])|(?:%[cC]\d)?(?:\x7d|%7[dD]))+/R"; http.request_body; content:"filename|3d 22|"; pcre:"/^[^\x22]*?preferences_time\x7cb\x3a\d+\x3b/R"; reference:url,fearsoff.org/research/roundcube; reference:cve,2025-49113; classtype:web-application-attack; sid:2063428; rev:2; metadata:affected_product Roundcube, attack_target Server, created_at 2025_07_14, cve CVE_2025_49113, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

Metadata

affected productRoundcube
attack targetServer
created at2025_07_14
deploymentInternal
confidenceHigh
signature severityMajor
tagExploit
updated at2026_07_14
mitre tactic idTA0001
mitre tactic nameInitial_Access
mitre technique idT1190
mitre technique nameExploit_Public_Facing_Application

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!