Emerging Threathighexperimental
Potential SAP NetViewer Webshell Command Execution
Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter. This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed May 1494e12f41-6cb3-45c5-97b1-c783a7bf2e722025
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver
HTTP access logs from web servers capturing request paths, methods, and status codes.
Detection Logic
Detection Logic2 selectors
detection:
selection_uri:
cs-uri-stem|contains|all:
- '/irj/'
- '.jsp'
selection_query:
- cs-uri-query|startswith:
- 'cmd='
- 'command='
- 'exec_cmd='
- 'exec='
- cs-uri-query|contains:
- '/dev/tcp'
- '/etc/passwd'
- '%2fdev%2ftcp' # URL encoded of /dev/tcp
- '%2fetc%2fpasswd' # URL encoded of /etc/passwd
- '=uname'
- '=whoami'
- 'ifconfig'
- 'ping'
- 'pwd'
- cs-uri-query|contains|all:
- 'echo'
- 'base64'
condition: all of selection_*False Positives
Legitimate applications using cmd parameter for non-malicious purposes
References
MITRE ATT&CK
Sub-techniques
Other
detection.emerging-threatscve.2025-31324
Rule Metadata
Rule ID
94e12f41-6cb3-45c5-97b1-c783a7bf2e72
Status
experimental
Level
high
Type
Emerging Threat
Created
Wed May 14
Path
rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell.yml
Raw Tags
attack.persistenceattack.t1505.003attack.initial-accessattack.t1190detection.emerging-threatscve.2025-31324