Object serialization has always been a tricky subject. Using serialization as a design pattern can always lead to catastrophic consequences such as remote code execution when user input isn't properly validated.
Not only PHP serialized object presents a threat, but a PHP serialized array as well.
A malformed serialized object presents a threat.
The malformed data leads PHP into unexpected behavior such as "heap use after free" and "buffer over-read". As of now, there is no public exploit that demonstrates direct connection to remote code execution using this technique.
Mitigation Using ASM
An Attack Signature Update containing signatures designed to mitigate these vulnerabilities has already been released. The relevant signatures are: