WAF-Release-21-Jul-2025 (#23838)

fb1337 · thomasgauvin · commit febabb334118 · 2025-08-15T16:52:31.000-04:00
diff --git a/src/content/docs/waf/change-log/2025-07-21.mdx b/src/content/docs/waf/change-log/2025-07-21.mdx
@@ -0,0 +1,105 @@
+---
+title: "2025-07-21"
+type: table
+pcx_content_type: release-notes
+sidebar:
+  order: 782
+tableOfContents: false
+---
+
+import { RuleID } from "~/components";
+
+This week’s update spotlights several critical vulnerabilities across Citrix NetScaler Memory Disclosure, FTP servers and network application. Several flaws enable unauthenticated remote code execution or sensitive data exposure, posing a significant risk to enterprise security.
+
+**Key Findings**
+
+- Wing FTP Server (CVE-2025-47812):  A critical Remote Code Execution (RCE) vulnerability that enables unauthenticated attackers to execute arbitrary code with root/SYSTEM-level privileges by exploiting a Lua injection flaw.
+- Infoblox NetMRI (CVE-2025-32813): A remote unauthenticated command injection flaw that allows an attacker to execute arbitrary commands, potentially leading to unauthorized access.
+- Citrix Netscaler ADC (CVE-2025-5777, CVE-2023-4966): A sensitive information disclosure vulnerability, also known as "Citrix Bleed2", that allows the disclosure of memory and subsequent remote access session hijacking.
+- Akamai CloudTest (CVE-2025-49493): An XML External Entity (XXE) injection that could lead to read local files on the system by manipulating XML input.
+
+**Impact**
+
+These vulnerabilities affect critical enterprise infrastructure, from file transfer services and network management appliances to application delivery controllers. The Wing FTP RCE and Infoblox command injection flaws offer direct paths to deep system compromise, while the Citrix "Bleed2" and Akamai XXE vulnerabilities undermine system integrity by enabling session hijacking and sensitive data theft.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+       <tbody>
+ 		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+					<RuleID id="6ab3bd3b58fb4325ac2d3cc73461ec9e" />
+			</td>
+			<td>100804</td>
+			<td>BerriAI - SSRF - CVE:CVE-2024-6587</td>
+			<td>Log</td>
+			<td>Log</td>
+			<td>This is a New Detection</td>
+ 		</tr>
+ 		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+ 			<td>
+ 					<RuleID id="0e17d8761f1a47d5a744a75b5199b58a" />
+ 			</td>
+ 			<td>100805</td>
+ 			<td>Wing FTP Server - Remote Code Execution - CVE:CVE-2025-47812</td>
+ 			<td>Log</td>
+ 			<td>Block</td>
+ 			<td>This is a New Detection</td>
+  		</tr>
+ 		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+					<RuleID id="81ace5a851214a2f9c58a1e7919a91a4" />
+			</td>
+			<td>100807</td>
+			<td>Infoblox NetMRI - Command Injection - CVE:CVE-2025-32813</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+ 		</tr>
+ 		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+					<RuleID id="cd8fa74e8f6f476c9380ae217899130f" />
+			</td>
+			<td>100808</td>
+			<td>Citrix Netscaler ADC - Buffer Error - CVE:CVE-2025-5777</td>
+			<td>Log</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+  		</tr>
+ 		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+					<RuleID id="e012c7bece304a1daf80935ed1cf8e08" />
+			</td>
+			<td>100809</td>
+			<td>Citrix Netscaler ADC - Information Disclosure - CVE:CVE-2023-4966</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+ 		</tr>
+ 		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+					<RuleID id="5d348a573a834ffd968faffc6e70469f" />
+			</td>
+			<td>100810</td>
+			<td>Akamai CloudTest - XXE - CVE:CVE-2025-49493</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+    </tr>
+  </tbody>
+</table>
diff --git a/src/content/docs/waf/change-log/scheduled-changes.mdx b/src/content/docs/waf/change-log/scheduled-changes.mdx
@@ -23,72 +23,50 @@ import { RSSButton, RuleID } from "~/components";
       <th>Comments</th>
     </tr>
   </thead>
-  <tbody>
+<tbody>
     <tr>
-			<td>2025-07-14</td>
-			<td>2025-07-21</td>
-			<td>Log</td>
-			<td>100804</td>
-			<td>
-					<RuleID id="6ab3bd3b58fb4325ac2d3cc73461ec9e" />
-			</td>
-			<td>BerriAI - SSRF - CVE:CVE-2024-6587</td>
-			<td>This is a New Detection</td>
-    </tr>
- 		<tr>
- 			<td>2025-07-14</td>
- 			<td>2025-07-21</td>
- 			<td>Log</td>
- 			<td>100805</td>
- 			<td>
- 					<RuleID id="0e17d8761f1a47d5a744a75b5199b58a" />
- 			</td>
- 			<td>Wing FTP Server - Remote Code Execution - CVE:CVE-2025-47812</td>
- 			<td>This is a New Detection</td>
-    </tr>
-    <tr>
-			<td>2025-07-14</td>
-			<td>2025-07-21</td>
-			<td>Log</td>
-			<td>100807</td>
-			<td>
-					<RuleID id="81ace5a851214a2f9c58a1e7919a91a4" />
-			</td>
-			<td>Infoblox NetMRI - Command Injection - CVE:CVE-2025-32813</td>
-			<td>This is a New Detection</td>
+	    <td>2025-07-21</td>
+	    <td>2025-07-28</td>
+	    <td>Log</td>
+	    <td>100812</td>
+	    <td>
+	        <RuleID id="2e6c4d02f42a4c3ca90649d50cb13e1d" />
+	    </td>
+	    <td>Fortinet FortiWeb - Remote Code Execution - CVE:CVE-2025-25257</td>
+	    <td>This is a New Detection</td>
     </tr>
     <tr>
-			<td>2025-07-14</td>
-			<td>2025-07-21</td>
-			<td>Log</td>
-			<td>100808</td>
-			<td>
-					<RuleID id="cd8fa74e8f6f476c9380ae217899130f" />
-			</td>
-			<td>Citrix Netscaler ADC - Buffer Error - CVE:CVE-2025-5777</td>
-			<td>This is a New Detection</td>
+	    <td>2025-07-21</td>
+	    <td>2025-07-28</td>
+	    <td>Log</td>
+	    <td>100813</td>
+	    <td>
+	        <RuleID id="fd360d8fd9994e6bab6fb06067fae7f7" />
+	    </td>
+	    <td>Apache Tomcat - DoS - CVE:CVE-2025-31650</td>
+	    <td>This is a New Detection</td>
     </tr>
     <tr>
-			<td>2025-07-14</td>
-			<td>2025-07-21</td>
-			<td>Log</td>
-			<td>100809</td>
-			<td>
-					<RuleID id="e012c7bece304a1daf80935ed1cf8e08" />
-			</td>
-			<td>Citrix Netscaler ADC - Information Disclosure - CVE:CVE-2023-4966</td>
-			<td>This is a New Detection</td>
+	    <td>2025-07-21</td>
+	    <td>2025-07-28</td>
+	    <td>Log</td>
+	    <td>100815</td>
+	    <td>
+	        <RuleID id="f9e01e28c5d6499cac66364b4b6a5bb1" />
+	    </td>
+	    <td>MongoDB - Remote Code Execution - CVE:CVE-2024-53900, CVE:CVE-2025-23061</td>
+	    <td>This is a New Detection</td>
     </tr>
     <tr>
-			<td>2025-07-14</td>
-			<td>2025-07-21</td>
-			<td>Log</td>
-			<td>100810</td>
-			<td>
-					<RuleID id="5d348a573a834ffd968faffc6e70469f" />
-			</td>
-			<td>Akamai CloudTest - XXE - CVE:CVE-2025-49493</td>
-			<td>This is a New Detection</td>
+	    <td>2025-07-21</td>
+	    <td>2025-07-28</td>
+	    <td>Log</td>
+	    <td>100816</td>
+	    <td>
+	        <RuleID id="700d4fcc7b1f481a80cbeee5688f8e79" />
+	    </td>
+	    <td>MongoDB - Remote Code Execution - CVE:CVE-2024-53900, CVE:CVE-2025-23061</td>
+	    <td>This is a New Detection</td>
     </tr>
-  </tbody>
+  </tbody> 
 </table>
diff --git a/src/content/release-notes/waf.yaml b/src/content/release-notes/waf.yaml
@@ -5,11 +5,14 @@ productLink: "/waf/"
 productArea: Application security
 productAreaLink: /fundamentals/reference/changelog/security/
 entries:
-  - publish_date: "2025-07-14"
-    scheduled_date: "2025-07-21"
+  - publish_date: "2025-07-21"
+    scheduled_date: "2025-07-28"
     individual_page: true
     scheduled: true
     link: "/waf/change-log/scheduled-changes/"
+  - publish_date: "2025-07-21"
+    individual_page: true
+    link: "/waf/change-log/2025-07-21/"
   - publish_date: "2025-07-14"
     individual_page: true
     link: "/waf/change-log/2025-07-14/"
