Potential Java WebShell Upload in SAP NetViewer Server
Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions. This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.
Sigma rule (View on GitHub)
1title: Potential Java WebShell Upload in SAP NetViewer Server
2id: 639b893f-f93a-4e53-a7c8-f08cf73fe7f7
3status: experimental
4description: |
5 Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions.
6 This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.
7references:
8 - https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-05-14
11tags:
12 - attack.persistence
13 - attack.t1505.003
14 - detection.emerging-threats
15 - cve.2025-31324
16logsource:
17 category: webserver
18detection:
19 selection:
20 cs-content-type: 'application/octet-stream'
21 cs-method: 'POST'
22 cs-uri-stem|contains|all:
23 - '/irj/'
24 - '.jsp'
25 cs-uri-stem|endswith:
26 - '.class'
27 - '.java'
28 - '.jsp'
29 condition: selection
30falsepositives:
31 - Legitimate uploads of Java files in development environments
32level: high
References
-
EclecticIQ analysts assess with high confidence that, in April 2025, China-nexus nation-state APTs (advanced persistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP NetWeaver Visual Composer.
Read More
Related rules
- Potential SAP NetViewer Webshell Command Execution
- MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- DEWMODE Webshell Access
- Oracle WebLogic Exploit