<  Back to rules search

Spring RCE post-exploitation activity attempted





Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


This rule detects attempted post-exploitation activity of CVE-2022-22965 with an HTTP GET parameter.


This rule looks for @http.url_details.path = <RANDOM_FILE_NAME>.jsp, @http.url_details.queryString.pwd = *, and @http.url_details.queryString.cmd = <RANDOM_CMD_EXECUTION>. If found, it indicates web shell activity observed with successful Spring RCE exploitation.

Triage and response

Check your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,

  • Refer to your company’s Incident Response process since this is detection post-exploitation activity.
  • Refer to the vendor’s advisory for remediation of this Remote Code Execution (RCE) vulnerability.


  • 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.
  • 31 March 2022 - Rule added in response to CVE-2022-22965