LoFP / limited false positives should occur as this pattern is highly specific to cve-2025-24813 exploitation. however, legitimate application errors that use similar cookie patterns and result in 500 status codes might trigger false positives. review the jsessionid cookie format and the associated request context to confirm exploitation attempts.

Techniques

• T1190
• T1505.003

Sample rules

Tomcat Session Deserialization Attempt

• source: splunk
• technicques:
  • T1190
  • T1505.003

Description

This detection identifies potential exploitation of CVE-2025-24813 in Apache Tomcat through the second stage of the attack. This phase occurs when an attacker attempts to trigger deserialization of a previously uploaded malicious session file by sending a GET request with a specially crafted JSESSIONID cookie. These requests typically have specific characteristics, including a JSESSIONID cookie with a leading dot that matches a previously uploaded filename, and typically result in a HTTP 500 error when the exploitation succeeds.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method=GET AND Web.cookie="*JSESSIONID=.*" AND Web.status=500 by Web.src, Web.dest, Web.http_user_agent, Web.uri_path, Web.cookie, Web.status 
| `drop_dm_object_name("Web")` 
| where match(cookie, "^JSESSIONID=\.") 
| rex field=cookie "JSESSIONID=\.(?<cookie_path>[^;]+)" 
| eval severity="High" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `tomcat_session_deserialization_attempt_filter`