Skip to content

Commit d262ec2

Browse files
fb1337fb1337
authored
Release 18th August WAFMR (#24494)
1 parent 6f690d6 commit d262ec2

File tree

2 files changed

+184
-103
lines changed

2 files changed

+184
-103
lines changed

src/content/changelog/waf/2025-08-18-waf-release.mdx

Lines changed: 169 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,169 @@
1+
---
2+
title: "WAF Release - 2025-08-18"
3+
description: Cloudflare WAF managed rulesets 2025-08-18 release
4+
date: 2025-08-18
5+
---
6+
7+
import { RuleID } from "~/components";
8+
9+
This week's update
10+
11+
This week, a series of critical vulnerabilities were discovered impacting core enterprise and open-source infrastructure. These flaws present a range of risks, providing attackers with distinct pathways for remote code execution, methods to breach internal network boundaries, and opportunities for critical data exposure and operational disruption.
12+
13+
14+
**Key Findings**
15+
16+
- SonicWall SMA (CVE-2025-32819, CVE-2025-32820, CVE-2025-32821): A remote authenticated attacker with SSLVPN user privileges can bypass path traversal protections. These vulnerabilities enable a attacker to bypass security checks to read, modify, or delete arbitrary files. An attacker with administrative privileges can escalate this further, using a command injection flaw to upload malicious files, which could ultimately force the appliance to reboot to its factory default settings.
17+
18+
- Ms-Swift Project (CVE-2025-50460): An unsafe deserialization vulnerability exists in the Ms-Swift project's handling of YAML configuration files.If an attacker can control the content of a configuration file passed to the application, they can embed a malicious payload that will execute arbitrary code and it can be executed during deserialization.
19+
20+
- Apache Druid (CVE-2023-25194): This vulnerability in Apache Druid allows an attacker to cause the server to connect to a malicious LDAP server. By sending a specially crafted LDAP response, the attacker can trigger an unrestricted deserialization of untrusted data. If specific "gadgets" (classes that can be abused) are present in the server's classpath, this can be escalated to achieve Remote Code Execution (RCE).
21+
22+
- Tenda AC8v4 (CVE-2025-51087, CVE-2025-51088): Vulnerabilities allow an authenticated attacker to trigger a stack-based buffer overflow. By sending malformed arguments in a request to specific endpoints, an attacker can crash the device or potentially achieve arbitrary code execution.
23+
24+
- Open WebUI (CVE-2024-7959): This vulnerability allows a user to change the OpenAI URL endpoint to an arbitrary internal network address without proper validation. This flaw can be exploited to access internal services or cloud metadata endpoints, potentially leading to remote command execution if the attacker can retrieve instance secrets or access sensitive internal APIs.
25+
26+
- BentoML (CVE-2025-54381): The vulnerability exists in the serialization/deserialization handlers for multipart form data and JSON requests, which automatically download files from user-provided URLs without proper validation of internal network addresses. This allowing attackers to fetch from unintended internal services—including cloud metadata and localhost.
27+
28+
- Adobe Experience Manager Forms (CVE-2025-54254): AN Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read in Adobe AEM (≤6.5.23).
29+
30+
**Impact**
31+
32+
These vulnerabilities affect core infrastructure, from network security appliances like SonicWall to data platforms such as Apache Druid and ML frameworks like BentoML. The code execution and deserialization flaws are particularly severe, offering deep system access that allows attackers to steal data, disrupt services, and establish a foothold for broader intrusions. Simultaneously, SSRF and XXE vulnerabilities undermine network boundaries, exposing sensitive internal data and creating pathways for lateral movement. Beyond data-centric threats, flaws in edge devices like the Tenda router introduce the tangible risk of operational disruption, highlighting a multi-faceted threat to the security and stability of key enterprise systems.
33+
34+
<table style="width: 100%">
35+
<thead>
36+
<tr>
37+
<th>Ruleset</th>
38+
<th>Rule ID</th>
39+
<th>Legacy Rule ID</th>
40+
<th>Description</th>
41+
<th>Previous Action</th>
42+
<th>New Action</th>
43+
<th>Comments</th>
44+
</tr>
45+
</thead>
46+
<tbody>
47+
<tr>
48+
<td>Cloudflare Managed Ruleset</td>
49+
<td>
50+
<RuleID id="326ebb56d46a4c269bb699d3418d9a3b" />
51+
</td>
52+
<td>100574</td>
53+
<td>SonicWall SMA - Remote Code Execution - CVE:CVE-2025-32819, CVE:CVE-2025-32820, CVE:CVE-2025-32821</td>
54+
<td>Log</td>
55+
<td>Disabled</td>
56+
<td>This is a New Detection</td>
57+
</tr>
58+
<tr>
59+
<td>Cloudflare Managed Ruleset</td>
60+
<td>
61+
<RuleID id="69f4f161dec04aca8a73a3231e6fefdb" />
62+
</td>
63+
<td>100576</td>
64+
<td>Ms-Swift Project - Remote Code Execution - CVE:CVE-2025-50460</td>
65+
<td>Log</td>
66+
<td>Block</td>
67+
<td>This is a New Detection</td>
68+
</tr>
69+
<tr>
70+
<td>Cloudflare Managed Ruleset</td>
71+
<td>
72+
<RuleID id="d62935357ff846d9adefb58108ac45b3" />
73+
</td>
74+
<td>100585</td>
75+
<td>Apache Druid - Remote Code Execution - CVE:CVE-2023-25194</td>
76+
<td>Log</td>
77+
<td>Block</td>
78+
<td>This is a New Detection</td>
79+
</tr>
80+
<tr>
81+
<td>Cloudflare Managed Ruleset</td>
82+
<td>
83+
<RuleID id="4f6148a760804bf8ad8ebccfe4855472" />
84+
</td>
85+
<td>100834</td>
86+
<td>Tenda AC8v4 - Auth Bypass - CVE:CVE-2025-51087, CVE:CVE-2025-51088</td>
87+
<td>Log</td>
88+
<td>Block</td>
89+
<td>This is a New Detection</td>
90+
</tr>
91+
<tr>
92+
<td>Cloudflare Managed Ruleset</td>
93+
<td>
94+
<RuleID id="1474121b01ba40629f8246f8022ab542" />
95+
</td>
96+
<td>100835</td>
97+
<td>Open WebUI - SSRF - CVE:CVE-2024-7959</td>
98+
<td>Log</td>
99+
<td>Block</td>
100+
<td>This is a New Detection</td>
101+
</tr>
102+
<tr>
103+
<td>Cloudflare Managed Ruleset</td>
104+
<td>
105+
<RuleID id="96abffdb7e224ce69ddf89eb6339f132" />
106+
</td>
107+
<td>100837</td>
108+
<td>SQLi - OOB</td>
109+
<td>Log</td>
110+
<td>Block</td>
111+
<td>This is a New Detection</td>
112+
</tr>
113+
<tr>
114+
<td>Cloudflare Managed Ruleset</td>
115+
<td>
116+
<RuleID id="a0b20ec638d14800a1d6827cb83d2625" />
117+
</td>
118+
<td>100841</td>
119+
<td>BentoML - SSRF - CVE:CVE-2025-54381</td>
120+
<td>Log</td>
121+
<td>Disabled</td>
122+
<td>This is a New Detection</td>
123+
</tr>
124+
<tr>
125+
<td>Cloudflare Managed Ruleset</td>
126+
<td>
127+
<RuleID id="40fd793035c947c5ac75add1739180d2" />
128+
</td>
129+
<td>100841A</td>
130+
<td>BentoML - SSRF - CVE:CVE-2025-54381 - 2</td>
131+
<td>Log</td>
132+
<td>Disabled</td>
133+
<td>This is a New Detection</td>
134+
</tr>
135+
<tr>
136+
<td>Cloudflare Managed Ruleset</td>
137+
<td>
138+
<RuleID id="08dcb20b9acf47e3880a0b886ab910c2" />
139+
</td>
140+
<td>100841B</td>
141+
<td>BentoML - SSRF - CVE:CVE-2025-54381 - 3</td>
142+
<td>Log</td>
143+
<td>Disabled</td>
144+
<td>This is a New Detection</td>
145+
</tr>
146+
<tr>
147+
<td>Cloudflare Managed Ruleset</td>
148+
<td>
149+
<RuleID id="309cfb7eeb42482e9ad896f12197ec51" />
150+
</td>
151+
<td>100845</td>
152+
<td>Adobe Experience Manager Forms - XSS - CVE:CVE-2025-54254</td>
153+
<td>Log</td>
154+
<td>Block</td>
155+
<td>This is a New Detection</td>
156+
</tr>
157+
<tr>
158+
<td>Cloudflare Managed Ruleset</td>
159+
<td>
160+
<RuleID id="6e039776c2d6418ab6e8f05196f34ce3" />
161+
</td>
162+
<td>100845A</td>
163+
<td>Adobe Experience Manager Forms - XSS - CVE:CVE-2025-54254 - 2</td>
164+
<td>Log</td>
165+
<td>Block</td>
166+
<td>This is a New Detection</td>
167+
</tr>
168+
</tbody>
169+
</table>

src/content/changelog/waf/scheduled-waf-release.mdx

Lines changed: 15 additions & 103 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
2-
title: WAF Release - Scheduled changes for 2025-08-18
3-
description: WAF managed ruleset changes scheduled for 2025-08-18
4-
date: 2025-08-11
2+
title: WAF Release - Scheduled changes for 2025-08-25
3+
description: WAF managed ruleset changes scheduled for 2025-08-25
4+
date: 2025-08-18
55
scheduled: true
66
---
77

@@ -21,124 +21,36 @@ import { RuleID } from "~/components";
2121
</thead>
2222
<tbody>
2323
<tr>
24-
<td>2025-08-11</td>
2524
<td>2025-08-18</td>
25+
<td>2025-08-25</td>
2626
<td>Log</td>
27-
<td>100574</td>
27+
<td>100822_BETA</td>
2828
<td>
29-
<RuleID id="326ebb56d46a4c269bb699d3418d9a3b" />
29+
<RuleID id="c550282a0f7343ca887bdab528050359" />
3030
</td>
31-
<td>SonicWall SMA - Remote Code Execution - CVE:CVE-2025-32819, CVE:CVE-2025-32820, CVE:CVE-2025-32821</td>
31+
<td>WordPress:Plugin:WPBookit - Remote Code Execution - CVE:CVE-2025-6058</td>
3232
<td>This is a New Detection</td>
3333
</tr>
3434
<tr>
35-
<td>2025-08-11</td>
3635
<td>2025-08-18</td>
36+
<td>2025-08-25</td>
3737
<td>Log</td>
38-
<td>100576</td>
38+
<td>100831</td>
3939
<td>
40-
<RuleID id="69f4f161dec04aca8a73a3231e6fefdb" />
40+
<RuleID id="456b1e8f827b4ed89fb4a54b3bdcdbad" />
4141
</td>
42-
<td>Ms-Swift Project - Remote Code Execution - CVE:CVE-2025-50460</td>
42+
<td>Apache HTTP Server - Code Execution - CVE:CVE-2024-38474</td>
4343
<td>This is a New Detection</td>
4444
</tr>
4545
<tr>
46-
<td>2025-08-11</td>
4746
<td>2025-08-18</td>
47+
<td>2025-08-25</td>
4848
<td>Log</td>
49-
<td>100585</td>
49+
<td>100846</td>
5050
<td>
51-
<RuleID id="d62935357ff846d9adefb58108ac45b3" />
51+
<RuleID id="7dcc01e1dd074e42a26c8ca002eaac5b" />
5252
</td>
53-
<td>Apache Druid - Remote Code Execution - CVE:CVE-2023-25194</td>
54-
<td>This is a New Detection</td>
55-
</tr>
56-
<tr>
57-
<td>2025-08-11</td>
58-
<td>2025-08-18</td>
59-
<td>Log</td>
60-
<td>100834</td>
61-
<td>
62-
<RuleID id="4f6148a760804bf8ad8ebccfe4855472" />
63-
</td>
64-
<td>Tenda AC8v4 - Auth Bypass - CVE:CVE-2025-51087, CVE:CVE-2025-51088</td>
65-
<td>This is a New Detection</td>
66-
</tr>
67-
<tr>
68-
<td>2025-08-11</td>
69-
<td>2025-08-18</td>
70-
<td>Log</td>
71-
<td>100835</td>
72-
<td>
73-
<RuleID id="1474121b01ba40629f8246f8022ab542" />
74-
</td>
75-
<td>Open WebUI - SSRF - CVE:CVE-2024-7959</td>
76-
<td>This is a New Detection</td>
77-
</tr>
78-
<tr>
79-
<td>2025-08-11</td>
80-
<td>2025-08-18</td>
81-
<td>Log</td>
82-
<td>100837</td>
83-
<td>
84-
<RuleID id="96abffdb7e224ce69ddf89eb6339f132" />
85-
</td>
86-
<td>SQLi - OOB</td>
87-
<td>This is a New Detection</td>
88-
</tr>
89-
<tr>
90-
<td>2025-08-11</td>
91-
<td>2025-08-18</td>
92-
<td>Log</td>
93-
<td>100841</td>
94-
<td>
95-
<RuleID id="a0b20ec638d14800a1d6827cb83d2625" />
96-
</td>
97-
<td>BentoML - SSRF - CVE:CVE-2025-54381</td>
98-
<td>This is a New Detection</td>
99-
</tr>
100-
<tr>
101-
<td>2025-08-11</td>
102-
<td>2025-08-18</td>
103-
<td>Log</td>
104-
<td>100841A</td>
105-
<td>
106-
<RuleID id="40fd793035c947c5ac75add1739180d2" />
107-
</td>
108-
<td>BentoML - SSRF - CVE:CVE-2025-54381 - 2</td>
109-
<td>This is a New Detection</td>
110-
</tr>
111-
<tr>
112-
<td>2025-08-11</td>
113-
<td>2025-08-18</td>
114-
<td>Log</td>
115-
<td>100841B</td>
116-
<td>
117-
<RuleID id="08dcb20b9acf47e3880a0b886ab910c2" />
118-
</td>
119-
<td>BentoML - SSRF - CVE:CVE-2025-54381 - 3</td>
120-
<td>This is a New Detection</td>
121-
</tr>
122-
<tr>
123-
<td>2025-08-11</td>
124-
<td>2025-08-18</td>
125-
<td>Log</td>
126-
<td>100845</td>
127-
<td>
128-
<RuleID id="309cfb7eeb42482e9ad896f12197ec51" />
129-
</td>
130-
<td>Adobe Experience Manager Forms - XSS - CVE:CVE-2025-54254</td>
131-
<td>This is a New Detection</td>
132-
</tr>
133-
<tr>
134-
<td>2025-08-11</td>
135-
<td>2025-08-18</td>
136-
<td>Log</td>
137-
<td>100845A</td>
138-
<td>
139-
<RuleID id="6e039776c2d6418ab6e8f05196f34ce3" />
140-
</td>
141-
<td>Adobe Experience Manager Forms - XSS - CVE:CVE-2025-54254 - 2</td>
53+
<td>Laravel - Remote Code Execution - CVE:CVE-2024-55661</td>
14254
<td>This is a New Detection</td>
14355
</tr>
14456
</tbody>

0 commit comments

Comments
 (0)