cloudflare · vs-mg · May 20, 2025 · May 19, 2025 · May 19, 2025 · May 20, 2025
@@ -0,0 +1,86 @@
+---
+title: "2025-05-19"
+type: table
+pcx_content_type: release-notes
+sidebar:
+  order: 789
+tableOfContents: false
+---
+
+import { RuleID } from "~/components";
+
+This week's analysis covers four vulnerabilities, with three rated critical due to their Remote Code Execution (RCE) potential. One targets a high-traffic frontend platform, while another targets a popular content management system. These detections are now part of the Cloudflare Managed Ruleset in _Block_ mode.
+
+**Key Findings**
+
+- Commvault Command Center (CVE-2025-34028) exposes an unauthenticated RCE via insecure command injection paths in the web UI. This is critical due to its use in enterprise backup environments.
+- BentoML (CVE-2025-27520) reveals an exploitable vector where serialized payloads in model deployment APIs can lead to arbitrary command execution. This targets modern AI/ML infrastructure.
+- Craft CMS (CVE-2024-56145) allows RCE through template injection in unauthenticated endpoints. It poses a significant risk for content-heavy websites with plugin extensions.
+- Apache HTTP Server (CVE-2024-38475) discloses sensitive server config data due to misconfigured 
+`mod_proxy` behavior. While not RCE, this is useful for pre-attack recon.
+
+**Impact**
+
+These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort.
+
+Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="5c3559ad62994e5b932d7d0075129820" />
+			</td>
+			<td>100745</td>
+			<td>Apache HTTP Server - Information Disclosure - CVE:CVE-2024-38475</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="28a22a685bba478d99bc904526a517f1" />
+			</td>
+			<td>100747</td>
+			<td>Commvault Command Center - Remote Code Execution - CVE:CVE-2025-34028</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="2e6bb954d0634e368c49d7d1d7619ccb" />
+			</td>
+			<td>100749</td>
+			<td>BentoML - Remote Code Execution - CVE:CVE-2025-27520</td>
+			<td>Log</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="91250eebec894705b62305b2f15bfda4" />
+			</td>
+			<td>100753</td>
+			<td>Craft CMS - Remote Code Execution - CVE:CVE-2024-56145</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+	</tbody>
+</table>
@@ -25,58 +25,102 @@ import { RSSButton, RuleID } from "~/components";
   </thead>
   <tbody>
     <tr>
-      <td>2025-05-13</td>
       <td>2025-05-19</td>
+      <td>2025-05-26</td>
       <td>Log</td>
-      <td>100745</td>
+      <td>100746</td>
+      <td>
+        <RuleID id="6a61a14f44af4232a44e45aad127592a" />
+      </td>
+      <td>Vercel - Information Disclosure</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>2025-05-19</td>
+      <td>2025-05-26</td>
+      <td>Log</td>
+      <td>100754</td>
     	<td>
-				<RuleID id="5c3559ad62994e5b932d7d0075129820" />
+				<RuleID id="bd30b3c43eb44335ab6013c195442495" />
 			</td>
-      <td>Apache HTTP Server - Information Disclosure - CVE:CVE-2024-38475</td>
+      <td>AJ-Report - Remote Code Execution - CVE:CVE-2024-15077</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-13</td>
       <td>2025-05-19</td>
+      <td>2025-05-26</td>
       <td>Log</td>
-      <td>100746</td>
+      <td>100756</td>
     	<td>
-				<RuleID id="6a61a14f44af4232a44e45aad127592a" />
+				<RuleID id="6a13bd6e5fc94b1d9c97eb87dfee7ae4" />
 			</td>
-      <td>Vercel - Information Disclosure</td>
+      <td>NAKIVO Backup - Remote Code Execution - CVE:CVE-2024-48248</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-13</td>
       <td>2025-05-19</td>
+      <td>2025-05-26</td>
       <td>Log</td>
-      <td>100747</td>
+      <td>100757</td>
     	<td>
-				<RuleID id="28a22a685bba478d99bc904526a517f1" />
+				<RuleID id="a4af6f2f15c9483fa9eab01d1c52f6d0" />
 			</td>
-      <td>Commvault Command Center - Remote Code Execution - CVE:CVE-2025-34028</td>
+      <td>Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1098</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-13</td>
       <td>2025-05-19</td>
+      <td>2025-05-26</td>
       <td>Log</td>
-      <td>100749</td>
+      <td>100759</td>
     	<td>
-				<RuleID id="2e6bb954d0634e368c49d7d1d7619ccb" />
+				<RuleID id="bd30b3c43eb44335ab6013c195442495" />
 			</td>
-      <td>BentoML - Remote Code Execution - CVE:CVE-2025-27520</td>
+      <td>SAP NetWeaver - Dangerous File Upload - CVE:CVE-2025-31324</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-13</td>
       <td>2025-05-19</td>
+      <td>2025-05-26</td>
       <td>Log</td>
-      <td>100753</td>
+      <td>100760</td>
     	<td>
-				<RuleID id="91250eebec894705b62305b2f15bfda4" />
+				<RuleID id="dab2df4f548349e3926fee845366ccc1" />
 			</td>
-      <td>Craft CMS - Remote Code Execution - CVE:CVE-2024-56145</td>
+      <td>Craft CMS - Remote Code Execution - CVE:CVE-2025-32432</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>2025-05-19</td>
+      <td>2025-05-26</td>
+      <td>Log</td>
+      <td>100761</td>
+      <td>
+        <RuleID id="5eb23f172ed64ee08895e161eb40686b" />
+      </td>
+      <td>GitHub Action - Remote Code Execution - CVE:CVE-2025-30066</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>2025-05-19</td>
+      <td>2025-05-26</td>
+      <td>Log</td>
+      <td>100762</td>
+      <td>
+        <RuleID id="827037f2d5f941789efcba6260fc041c" />
+      </td>
+      <td>Ivanti EPMM - Auth Bypass - CVE:CVE-2025-4428, CVE:CVE-2025-4427</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>2025-05-19</td>
+      <td>2025-05-26</td>
+      <td>Log</td>
+      <td>100763</td>
+      <td>
+        <RuleID id="ddee6d1c4f364768b324609cebafdfe6" />
+      </td>
+      <td>F5 Big IP - Remote Code Execution - CVE:CVE-2025-31644</td>
       <td>This is a New Detection</td>
     </tr>
   </tbody>

@@ -5,11 +5,14 @@ productLink: "/waf/"
 productArea: Application security
 productAreaLink: /fundamentals/reference/changelog/security/
 entries:
-  - publish_date: "2025-05-13"
-    scheduled_date: "2025-05-19"
+  - publish_date: "2025-05-19"
+    scheduled_date: "2025-05-26"
     individual_page: true
     scheduled: true
     link: "/waf/change-log/scheduled-changes/"
+  - publish_date: "2025-05-19"
+    individual_page: true
+    link: "/waf/change-log/2025-05-19/"
   - publish_date: "2025-05-05"
     individual_page: true
     link: "/waf/change-log/2025-05-05/"