YARA rules for CVE-2025-31324
2 rules · scoped to cve · back to CVE-2025-31324
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.
rule APT_SAP_NetWeaver_Exploitation_Activity_Apr25_1 : SCRIPT {
meta:
description = "Detects forensic artefacts related to exploitation activity of SAP NetWeaver CVE-2025-31324"
reference = "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/"
author = "Florian Roth"
date = "2025-04-25"
score = 70
strings:
$x01 = "/helper.jsp?cmd=" ascii wide
$x02 = "/cache.jsp?cmd=" ascii wide
condition:
filesize < 20MB and 1 of them
}
rule APT_SAP_NetWeaver_Exploitation_Activity_Apr25_2 : SCRIPT {
meta:
description = "Detects forensic artefacts related to exploitation activity of SAP NetWeaver CVE-2025-31324"
reference = "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/"
author = "Florian Roth"
date = "2025-04-25"
score = 70
strings:
$x03 = "MSBuild.exe c:\\programdata\\" ascii wide
condition:
filesize < 20MB and 1 of them
}