Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathighexperimental

Potential Java WebShell Upload in SAP NetViewer Server

Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions. This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed May 14639b893f-f93a-4e53-a7c8-f08cf73fe7f72025
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        cs-content-type: 'application/octet-stream'
        cs-method: 'POST'
        cs-uri-stem|contains|all:
            - '/irj/'
            - '.jsp'
        cs-uri-stem|endswith:
            - '.class'
            - '.java'
            - '.jsp'
    condition: selection
False Positives

Legitimate uploads of Java files in development environments

References
1
Resolving title…
blog.eclecticiq.com
MITRE ATT&CK

Other

detection.emerging-threatscve.2025-31324
Rule Metadata
Rule ID
639b893f-f93a-4e53-a7c8-f08cf73fe7f7
Status
experimental
Level
high
Type
Emerging Threat
Created
Wed May 14
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell_uploaded.yml
Raw Tags
attack.persistenceattack.t1505.003detection.emerging-threatscve.2025-31324
View on GitHub