Rejetto HTTP File Server RCE

calendar Oct 23, 2025 · attack.persistence attack.initial-access attack.t1190 attack.t1505.003 cve.2014-6287 detection.emerging-threats  ·
Share on: linkedin copy

Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287

Sigma rule (View on GitHub)

 1title: Rejetto HTTP File Server RCE
 2id: a133193c-2daa-4a29-8022-018695fcf0ae
 3status: test
 4description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
 5references:
 6    - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/
 7    - https://www.exploit-db.com/exploits/39161
 8    - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-07-19
11modified: 2023-01-02
12tags:
13    - attack.persistence
14    - attack.initial-access
15    - attack.t1190
16    - attack.t1505.003
17    - cve.2014-6287
18    - detection.emerging-threats
19logsource:
20    category: webserver
21detection:
22    selection_search:
23        cs-uri-query|contains: '?search=%00{.'
24    selection_payload:
25        cs-uri-query|contains:
26            - 'save|' # Indication of saving a file which shouldn't be tested by vuln scanners
27            - 'powershell'
28            - 'cmd.exe'
29            - 'cmd /c'
30            - 'cmd /r'
31            - 'cmd /k'
32            - 'cscript'
33            - 'wscript'
34            - 'python'
35            - 'C:\Users\Public\'
36            - '%comspec%'
37    condition: all of selection_*
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top