From 8855d3e090c07ed20e0ca6bd9cec9000a028e1f8 Mon Sep 17 00:00:00 2001 From: fb1337 Date: Mon, 19 May 2025 15:27:10 -0400 Subject: [PATCH 1/3] Release-19-May-2025 --- .../docs/waf/change-log/2025-05-19.mdx | 87 +++++++++++++++++++ .../docs/waf/change-log/scheduled-changes.mdx | 84 +++++++++++++----- 2 files changed, 151 insertions(+), 20 deletions(-) create mode 100644 src/content/docs/waf/change-log/2025-05-19.mdx diff --git a/src/content/docs/waf/change-log/2025-05-19.mdx b/src/content/docs/waf/change-log/2025-05-19.mdx new file mode 100644 index 000000000000000..28d993d21f42fd3 --- /dev/null +++ b/src/content/docs/waf/change-log/2025-05-19.mdx @@ -0,0 +1,87 @@ +--- +title: "2025-05-19" +type: table +pcx_content_type: release-notes +sidebar: + order: 789 +tableOfContents: false +--- + +import { RuleID } from "~/components"; + +This week's analysis covers 4 vulnerabilities, with three rated critical due to Remote Code Execution (RCE) potential. One targets a high-traffic frontend platform, while another targets a popular content management system. These detections are now part of our Managed Ruleset in Block mode. + +**Key Findings** + +- Commvault Command Center (CVE-2025-34028) exposes an unauthenticated RCE via insecure command injection paths in the web UI. This is critical due to its use in enterprise backup environments. +- BentoML (CVE-2025-27520) reveals an exploitable vector where serialized payloads in model deployment APIs can lead to arbitrary command execution. This targets modern AI/ML infrastructure. +- Craft CMS (CVE-2024-56145) allows RCE through template injection in unauthenticated endpoints. It poses a significant risk for content-heavy websites with plugin extensions. +- Apache HTTP Server (CVE-2024-38475) discloses sensitive server config data due to misconfigured mod_proxy behavior. While not RCE, it’s useful for pre-attack recon. + +**Impact** + +These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: +Unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort. + +Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. +Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
Cloudflare Managed Ruleset + + 100745Apache HTTP Server - Information Disclosure - CVE:CVE-2024-38475LogBlockThis is a New Detection
Cloudflare Managed Ruleset + + 100747Commvault Command Center - Remote Code Execution - CVE:CVE-2025-34028LogBlockThis is a New Detection
Cloudflare Managed Ruleset + + 100749BentoML - Remote Code Execution - CVE:CVE-2025-27520LogDisabledThis is a New Detection
Cloudflare Managed Ruleset + + 100753Craft CMS - Remote Code Execution - CVE:CVE-2024-56145LogBlockThis is a New Detection
diff --git a/src/content/docs/waf/change-log/scheduled-changes.mdx b/src/content/docs/waf/change-log/scheduled-changes.mdx index 4622076409fb999..7a26c859752ef30 100644 --- a/src/content/docs/waf/change-log/scheduled-changes.mdx +++ b/src/content/docs/waf/change-log/scheduled-changes.mdx @@ -25,58 +25,102 @@ import { RSSButton, RuleID } from "~/components"; - 2025-05-13 2025-05-19 + 2025-05-26 Log - 100745 + 100746 + + + + Vercel - Information Disclosure + This is a New Detection + + + 2025-05-19 + 2025-05-26 + Log + 100754 - + - Apache HTTP Server - Information Disclosure - CVE:CVE-2024-38475 + AJ-Report - Remote Code Execution - CVE:CVE-2024-15077 This is a New Detection - 2025-05-13 2025-05-19 + 2025-05-26 Log - 100746 + 100756 - + - Vercel - Information Disclosure + NAKIVO Backup - Remote Code Execution - CVE:CVE-2024-48248 This is a New Detection - 2025-05-13 2025-05-19 + 2025-05-26 Log - 100747 + 100757 - + - Commvault Command Center - Remote Code Execution - CVE:CVE-2025-34028 + Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1098 This is a New Detection - 2025-05-13 2025-05-19 + 2025-05-26 Log - 100749 + 100759 - + - BentoML - Remote Code Execution - CVE:CVE-2025-27520 + SAP NetWeaver - Dangerous File Upload - CVE:CVE-2025-31324 This is a New Detection - 2025-05-13 2025-05-19 + 2025-05-26 Log - 100753 + 100760 - + - Craft CMS - Remote Code Execution - CVE:CVE-2024-56145 + Craft CMS - Remote Code Execution - CVE:CVE-2025-32432 + This is a New Detection + + + 2025-05-19 + 2025-05-26 + Log + 100761 + + + + GitHub Action - Remote Code Execution - CVE:CVE-2025-30066 + This is a New Detection + + + 2025-05-19 + 2025-05-26 + Log + 100762 + + + + Ivanti EPMM - Auth Bypass - CVE:CVE-2025-4428, CVE:CVE-2025-4427 + This is a New Detection + + + 2025-05-19 + 2025-05-26 + Log + 100763 + + + + F5 Big IP - Remote Code Execution - CVE:CVE-2025-31644 This is a New Detection From e1fb631e5eed721592df788953ca8432d3250a16 Mon Sep 17 00:00:00 2001 From: fb1337 Date: Mon, 19 May 2025 15:42:15 -0400 Subject: [PATCH 2/3] waf.yaml date added --- src/content/release-notes/waf.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/content/release-notes/waf.yaml b/src/content/release-notes/waf.yaml index 9c06aa8bf8ea9e8..2cd21e0665f61dd 100644 --- a/src/content/release-notes/waf.yaml +++ b/src/content/release-notes/waf.yaml @@ -5,11 +5,14 @@ productLink: "/waf/" productArea: Application security productAreaLink: /fundamentals/reference/changelog/security/ entries: - - publish_date: "2025-05-13" - scheduled_date: "2025-05-19" + - publish_date: "2025-05-19" + scheduled_date: "2025-05-26" individual_page: true scheduled: true link: "/waf/change-log/scheduled-changes/" + - publish_date: "2025-05-19" + individual_page: true + link: "/waf/change-log/2025-05-19/" - publish_date: "2025-05-05" individual_page: true link: "/waf/change-log/2025-05-05/" From 76a64ec42109a1b1ba9bd393463fd377b849e10e Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 20 May 2025 09:43:04 +0100 Subject: [PATCH 3/3] Apply suggestions from PCX review --- src/content/docs/waf/change-log/2025-05-19.mdx | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/content/docs/waf/change-log/2025-05-19.mdx b/src/content/docs/waf/change-log/2025-05-19.mdx index 28d993d21f42fd3..7f902a9a8e04561 100644 --- a/src/content/docs/waf/change-log/2025-05-19.mdx +++ b/src/content/docs/waf/change-log/2025-05-19.mdx @@ -9,22 +9,21 @@ tableOfContents: false import { RuleID } from "~/components"; -This week's analysis covers 4 vulnerabilities, with three rated critical due to Remote Code Execution (RCE) potential. One targets a high-traffic frontend platform, while another targets a popular content management system. These detections are now part of our Managed Ruleset in Block mode. +This week's analysis covers four vulnerabilities, with three rated critical due to their Remote Code Execution (RCE) potential. One targets a high-traffic frontend platform, while another targets a popular content management system. These detections are now part of the Cloudflare Managed Ruleset in _Block_ mode. **Key Findings** - Commvault Command Center (CVE-2025-34028) exposes an unauthenticated RCE via insecure command injection paths in the web UI. This is critical due to its use in enterprise backup environments. - BentoML (CVE-2025-27520) reveals an exploitable vector where serialized payloads in model deployment APIs can lead to arbitrary command execution. This targets modern AI/ML infrastructure. - Craft CMS (CVE-2024-56145) allows RCE through template injection in unauthenticated endpoints. It poses a significant risk for content-heavy websites with plugin extensions. -- Apache HTTP Server (CVE-2024-38475) discloses sensitive server config data due to misconfigured mod_proxy behavior. While not RCE, it’s useful for pre-attack recon. +- Apache HTTP Server (CVE-2024-38475) discloses sensitive server config data due to misconfigured +`mod_proxy` behavior. While not RCE, this is useful for pre-attack recon. **Impact** -These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: -Unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort. +These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort. -Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. -Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules. +Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules.