LoFP LoFP / web application

TitleTags
false positives may vary based on cisco ai defense configuration; monitor and filter out the alerts that are not relevant to your environment.
false positives should be limited, however tune or filter as needed.
legitimate new account creation by authorized administrators will generate similar log entries. however, those should include proper authentication details. verify any detected events against expected administrative activities and authorized user lists.
limited false positives should occur as this pattern is highly specific to cve-2025-24813 exploitation. however, legitimate application errors that use similar cookie patterns and result in 500 status codes might trigger false positives. review the jsessionid cookie format and the associated request context to confirm exploitation attempts.
no known false positives for this detection. if the alerts are noisy, consider tuning this detection by using the _filter macro in this search, and/or updating the tool this alert originates from.
some legitimate applications might use put requests to create .session files, especially in custom implementations that leverage tomcat's session persistence mechanism. verify if the detected activity is part of a normal application flow or if it correlates with other suspicious behavior, such as subsequent get requests with manipulated jsessionid cookies.