cloudflare
diff --git a/‎src/content/changelog/waf/2025-08-11-waf-release.mdx
Lines changed: 276 additions & 0 deletions b/‎src/content/changelog/waf/2025-08-11-waf-release.mdx
Lines changed: 276 additions & 0 deletions
@@ -0,0 +1,276 @@
+---
+title: "WAF Release - 2025-08-11"
+description: Cloudflare WAF managed rulesets 2025-08-11 release
+date: 2025-08-11
+---
+
+import { RuleID } from "~/components";
+
+This week's update focuses on a wide range of enterprise software, from network infrastructure and security platforms to content management systems and development frameworks. Flaws include unsafe deserialization, OS command injection, SSRF, authentication bypass, and arbitrary file upload — many of which allow unauthenticated remote code execution. Notable risks include Cisco Identity Services Engine and Ivanti EPMM, where successful exploitation could grant attackers full administrative control of core network infrastructure and popular web services such as WordPress, SharePoint, and Ingress-Nginx, where security bypasses and arbitrary file uploads could lead to complete site or server compromise.
+
+
+**Key Findings**
+
+- Cisco Identity Services Engine (CVE-2025-20281): Insufficient input validation in a specific API of Cisco Identity Services Engine (ISE) and ISE-PIC allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device.
+
+- Wazuh Server (CVE-2025-24016): An unsafe deserialization vulnerability in Wazuh Server (versions 4.4.0 to 4.9.0) allows for remote code execution and privilege escalation. By injecting unsanitized data, an attacker can trigger an exception to execute arbitrary code on the server.
+
+
+- CrushFTP (CVE-2025-54309): A flaw in AS2 validation within CrushFTP allows remote attackers to gain administrative access via HTTPS on systems not using the DMZ proxy feature. This flaw can lead to unauthorized file access and potential system compromise.
+
+
+- Kentico Xperience CMS (CVE-2025-2747, CVE-2025-2748): Vulnerabilities in Kentico Xperience CMS could enable cross-site scripting (XSS), allowing attackers to inject malicious scripts into web pages. Additionally, a flaw could allow unauthenticated attackers to bypass the Staging Sync Server's authentication, potentially leading to administrative control over the CMS.
+
+
+- Node.js (CVE-2025-27210): An incomplete fix for a previous vulnerability (CVE-2025-23084) in Node.js affects the `path.join()` API method on Windows systems. The vulnerability can be triggered using reserved Windows device names such as `CON`, `PRN`, or `AUX`.
+
+- WordPress:Plugin:Simple File List (CVE-2025-34085, CVE-2020-36847): 
+This vulnerability in the Simple File List plugin for WordPress allows an unauthenticated remote attacker to upload arbitrary files to a vulnerable site. This can be exploited to achieve remote code execution on the server.<br/>
+(Note: CVE-2025-34085 has been rejected as a duplicate.)
+
+
+- GeoServer (CVE-2024-29198): A Server-Side Request Forgery (SSRF) vulnerability exists in GeoServer's Demo request endpoint, which can be exploited where the Proxy Base URL has not been configured.
+
+- Ivanti EPMM (CVE-2025-6771): An OS command injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) before versions 12.5.0.2, 12.4.0.3, and 12.3.0.3 allows a remote, authenticated attacker with high privileges to execute arbitrary code.
+
+- Microsoft SharePoint (CVE-2024-38018): This is a remote code execution vulnerability affecting Microsoft SharePoint Server.
+
+- Manager-IO (CVE-2025-54122): A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability is present in the proxy handler of both Manager Desktop and Server editions up to version 25.7.18.2519. This allows an unauthenticated attacker to bypass network isolation and access internal services.
+
+- Ingress-Nginx (CVE-2025-1974): A vulnerability in the Ingress-Nginx controller for Kubernetes allows an attacker to bypass access control rules. An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. 
+
+- PaperCut NG/MF (CVE-2023-2533): A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF. Under specific conditions, an attacker could exploit this to alter security settings or execute arbitrary code if they can deceive an administrator with an active login session into clicking a malicious link.
+
+- SonicWall SMA (CVE-2025-40598): This vulnerability could allow an unauthenticated attacker to bypass security controls. This allows a remote, unauthenticated attacker to potentially execute arbitrary JavaScript code.
+
+- WordPress (CVE-2025-5394): The "Alone – Charity Multipurpose Non-profit WordPress Theme" for WordPress  is vulnerable to arbitrary file uploads. A missing capability check allows unauthenticated attackers to upload ZIP files containing webshells disguised as plugins, leading to remote code execution.
+
+
+**Impact**
+
+These vulnerabilities span a broad range of enterprise technologies, including network access control systems, monitoring platforms, web servers, CMS platforms, cloud services, and collaboration tools. Exploitation techniques range from remote code execution and command injection to authentication bypass, SQL injection, path traversal, and configuration weaknesses.
+
+A critical flaw in perimeter devices like Ivanti EPMM or SonicWall SMA could allow an unauthenticated attacker to gain remote code execution, completely breaching the primary network defense. A separate vulnerability within Cisco's Identity Services Engine could then be exploited to bypass network segmentation, granting an attacker widespread internal access. Insecure deserialization issues in platforms like Wazuh Server and CrushFTP could then be used to run malicious payloads or steal sensitive files from administrative consoles. Weaknesses in web delivery controllers like Ingress-Nginx or popular content management systems such as WordPress, SharePoint, and Kentico Xperience create vectors to bypass security controls, exfiltrate confidential data, or fully compromise servers. 
+
+<table style="width: 100%">
+  <thead>
+    <tr>
+      <th>Ruleset</th>
+      <th>Rule ID</th>
+      <th>Legacy Rule ID</th>
+      <th>Description</th>
+      <th>Previous Action</th>
+      <th>New Action</th>
+      <th>Comments</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="ec6480c81253494b947d891e51bc8df1" />
+      </td>
+      <td>100538</td>
+      <td>GeoServer - SSRF - CVE:CVE-2024-29198</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="b8cb07170b5e4c2b989119cac9e0b290" />
+      </td>
+      <td>100548</td>
+      <td>Ivanti EPMM - Remote Code Execution - CVE:CVE-2025-6771</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="b3524bf5f5174b65bc892122ad93cda8" />
+      </td>
+      <td>100550</td>
+      <td>Microsoft SharePoint - Remote Code Execution - CVE:CVE-2024-38018</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="e1369c5d629f4f10a14141381dca5738" />
+      </td>
+      <td>100562</td>
+      <td>Manager-IO - SSRF - CVE:CVE-2025-54122</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="136f67e2b6a84f15ab9a82a52e9137e1" />
+      </td>
+      <td>100565</td>
+      <td>
+        Cisco Identity Services Engine - Remote Code Execution -
+        CVE:CVE-2025-20281
+      </td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="ed759f7e44184fa398ef71785d8102e1" />
+      </td>
+      <td>100567</td>
+      <td>Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1974</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="71b8e7b646f94d79873213cd99105c43" />
+      </td>
+      <td>100569</td>
+      <td>PaperCut NG/MF - Remote Code Execution - CVE:CVE-2023-2533</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="2450bfbb0cfb4804b109d1c42c81dc88" />
+      </td>
+      <td>100571</td>
+      <td>SonicWall SMA - XSS - CVE:CVE-2025-40598</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="8ce1903b67e24205a93f5fe6926c96d4" />
+      </td>
+      <td>100573</td>
+      <td>WordPress - Dangerous File Upload - CVE:CVE-2025-5394</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="7fdb3c7bc7b74703aeef4ab240ec2fda" />
+      </td>   
+      <td>100806</td>      
+      <td>Wazuh Server - Remote Code Execution - CVE:CVE-2025-24016</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="fe088163f51f4928a3c8d91e2401fa3b" />
+      </td>
+      <td>100824</td>
+      <td>CrushFTP - Remote Code Execution - CVE:CVE-2025-54309</td>
+      <td>Log</td>
+      <td>Block</td>      
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="3638baed75924604987b86d874920ace" />
+      </td>
+      <td>100824A</td>
+      <td>CrushFTP - Remote Code Execution - CVE:CVE-2025-54309 - 2</td>
+      <td>Log</td>
+      <td>Block</td>      
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="dda4f95b3a3e4ebb9e194aa5c7e63549" />
+      </td>
+      <td>100825</td>
+      <td>AMI MegaRAC - Auth Bypass - CVE:CVE-2024-54085</td>
+      <td>Log</td>
+      <td>Block</td> 
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="7dc07014cefa4ce9adf21da7b79037e6" />
+      </td>
+      <td>100826</td>
+      <td>Kentico Xperience CMS - Auth Bypass - CVE:CVE-2025-2747</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="7c7a0a37e79a4949ba840c9acaf261aa" />
+      </td>
+      <td>100827</td>
+      <td>Kentico Xperience CMS - XSS - CVE:CVE-2025-2748</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="54dd826f578c483196ce852b6f1c2d12" />
+      </td>
+      <td>100828</td>
+      <td>Node.js - Directory Traversal - CVE:CVE-2025-27210</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="a2867f7456c14213a94509a40341fccc" />
+      </td>
+      <td>100829</td>
+      <td>
+        WordPress:Plugin:Simple File List - Remote Code Execution -
+        CVE:CVE-2025-34085
+      </td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="4cdb0e792d1a428a897526624cefeeda" />
+      </td>
+      <td>100829A</td>
+      <td>
+        WordPress:Plugin:Simple File List - Remote Code Execution -
+        CVE:CVE-2025-34085 - 2
+      </td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+  </tbody>
+</table>