From d2c57281f9e237e4a30244f145bec1a7dd6371f3 Mon Sep 17 00:00:00 2001
From: fb1337 <fbressan@cloudflare.com>
Date: Mon, 9 Jun 2025 13:39:50 -0400
Subject: [PATCH 1/2] Release June 9th - 2025

---
 .../docs/waf/change-log/2025-06-09.mdx        | 83 +++++++++++++++++++
 .../docs/waf/change-log/scheduled-changes.mdx | 76 +++++++++++++----
 src/content/release-notes/waf.yaml            |  7 +-
 3 files changed, 148 insertions(+), 18 deletions(-)
 create mode 100644 src/content/docs/waf/change-log/2025-06-09.mdx

diff --git a/src/content/docs/waf/change-log/2025-06-09.mdx b/src/content/docs/waf/change-log/2025-06-09.mdx
new file mode 100644
index 00000000000000..1c7c422bbb04e4
--- /dev/null
+++ b/src/content/docs/waf/change-log/2025-06-09.mdx
@@ -0,0 +1,83 @@
+---
+title: "2025-06-09"
+type: table
+pcx_content_type: release-notes
+sidebar:
+  order: 786
+tableOfContents: false
+---
+
+import { RuleID } from "~/components";
+
+This week’s update spotlights four critical vulnerabilities across CMS platforms, VoIP systems, and enterprise applications. Several flaws enable remote code execution or privilege escalation, posing significant enterprise risks.
+
+**Key Findings**
+
+- WordPress OttoKit Plugin (CVE-2025-27007): Privilege escalation flaw allows unauthenticated attackers to create or elevate user accounts, compromising WordPress administrative control.
+- SAP NetWeaver (CVE-2025-42999): Remote Code Execution vulnerability enables attackers to execute arbitrary code on SAP NetWeaver systems, threatening core ERP and business operations.
+- Fortinet FortiVoice (CVE-2025-32756): Buffer error vulnerability may lead to memory corruption and potential code execution, directly impacting enterprise VoIP infrastructure.
+- Camaleon CMS (CVE-2024-46986): Remote Code Execution vulnerability allows attackers to gain full control over Camaleon CMS installations, exposing hosted content and underlying servers.
+
+**Impact**
+
+These vulnerabilities target widely deployed CMS, ERP, and VoIP systems. RCE flaws in SAP NetWeaver and Camaleon CMS allow full takeover of business-critical applications. Privilege escalation in OttoKit exposes WordPress environments to full administrative compromise. FortiVoice buffer handling issues risk destabilizing or fully compromising enterprise telephony systems.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="4afd50a3ef1948bba87c4e620debd86e" />
+			</td>
+			<td>100769</td>
+			<td>WordPress OttoKit Plugin - Privilege Escalation - CVE:CVE-2025-27007</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="24134c41c3e940daa973b4b95f57b448" />
+			</td>
+			<td>100770</td>
+			<td>SAP NetWeaver - Remote Code Execution - CVE:CVE-2025-42999</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="4f219ac0be3545a5be5f0bf34df8857a" />
+			</td>
+			<td>100779</td>
+			<td>c</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="bc8dfbe8cbac4c039725ec743b840107" />
+			</td>
+			<td>100780</td>
+			<td>Camaleon CMS - Remote Code Execution - CVE:CVE-2024-46986</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+	</tbody>
+</table>
\ No newline at end of file
diff --git a/src/content/docs/waf/change-log/scheduled-changes.mdx b/src/content/docs/waf/change-log/scheduled-changes.mdx
index 64628e4087c51e..b195aca520bac8 100644
--- a/src/content/docs/waf/change-log/scheduled-changes.mdx
+++ b/src/content/docs/waf/change-log/scheduled-changes.mdx
@@ -25,47 +25,91 @@ import { RSSButton, RuleID } from "~/components";
   </thead>
   <tbody>
     <tr>
-      <td>2025-06-02</td>
       <td>2025-06-09</td>
+      <td>2025-06-16</td>
       <td>Log</td>
-      <td>100769</td>
+      <td>100783</td>
       <td>
-        <RuleID id="4afd50a3ef1948bba87c4e620debd86e" />
+        <RuleID id="233bcf0ce50f400989a7e44a35fefd53" />
       </td>
-      <td>WordPress OttoKit Plugin - Privilege Escalation - CVE:CVE-2025-27007</td>
+      <td>Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-06-02</td>
       <td>2025-06-09</td>
+      <td>2025-06-16</td>
       <td>Log</td>
-      <td>100770</td>
+      <td>100784</td>
       <td>
-        <RuleID id="24134c41c3e940daa973b4b95f57b448" />
+        <RuleID id="9284e3b1586341acb4591bfd8332af5d" />
       </td>
-      <td>SAP NetWeaver - Remote Code Execution - CVE:CVE-2025-42999</td>
+      <td>Axios - SSRF - CVE:CVE-2024-39338</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-06-02</td>
       <td>2025-06-09</td>
+      <td>2025-06-16</td>
       <td>Log</td>
-      <td>100779</td>
+      <td>100785</td>
       <td>
-        <RuleID id="4f219ac0be3545a5be5f0bf34df8857a" />
+        <RuleID id="2672b175a25548aa8e0107b12e1648d2" />
       </td>
-      <td>Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756</td>
+      <td>vBulletin - Remote Code Execution - CVE:cc, CVE:CVE-2025-48828</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-06-02</td>
       <td>2025-06-09</td>
+      <td>2025-06-16</td>
       <td>Log</td>
-      <td>100780</td>
+      <td>100786</td>
       <td>
-        <RuleID id="bc8dfbe8cbac4c039725ec743b840107" />
+        <RuleID id="b77a19fb053744b49eacdab00edcf1ef" />
       </td>
-      <td>Camaleon CMS - Remote Code Execution - CVE:CVE-2024-46986</td>
+      <td>Invision Community - Remote Code Execution - CVE:CVE-2025-47916</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>2025-06-09</td>
+      <td>2025-06-16</td>
+      <td>Log</td>
+      <td>100791</td>
+      <td>
+        <RuleID id="aec2274743064523a9667248d6f5eb48" />
+      </td>
+      <td>CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>2025-06-09</td>
+      <td>2025-06-16</td>
+      <td>Log</td>
+      <td>100792</td>
+      <td>
+        <RuleID id="7b80e1f5575d4d99bb7d56ae30baa18a" />
+      </td>
+      <td>Roundcube - Remote Code Execution - CVE:CVE-2025-49113</td>
+      <td>This is a New Detection</td>
+    </tr>
+   <tr>
+      <td>2025-06-09</td>
+      <td>2025-06-16</td>
+      <td>Log</td>
+      <td>100793</td>
+      <td>
+        <RuleID id="52d76f9394494b0382c7cb00229ba236" />
+      </td>
+      <td>XSS - Ontoggle</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>2025-06-09</td>
+      <td>2025-06-16</td>
+      <td>Log</td>
+      <td>100794</td>
+      <td>
+        <RuleID id="d38e657bd43f4d809c28157dfa338296" />
+      </td>
+      <td>WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577</td>
       <td>This is a New Detection</td>
     </tr>
   </tbody>
diff --git a/src/content/release-notes/waf.yaml b/src/content/release-notes/waf.yaml
index db87d950b1cebe..3e59efdcffdce1 100644
--- a/src/content/release-notes/waf.yaml
+++ b/src/content/release-notes/waf.yaml
@@ -5,11 +5,14 @@ productLink: "/waf/"
 productArea: Application security
 productAreaLink: /fundamentals/reference/changelog/security/
 entries:
-  - publish_date: "2025-06-02"
-    scheduled_date: "2025-06-09"
+  - publish_date: "2025-06-09"
+    scheduled_date: "2025-06-16"
     individual_page: true
     scheduled: true
     link: "/waf/change-log/scheduled-changes/"
+  - publish_date: "2025-06-09"
+    individual_page: true
+    link: "/waf/change-log/2025-06-09/"
   - publish_date: "2025-06-02"
     individual_page: true
     link: "/waf/change-log/2025-06-02/"

From 705507cc3e39e696b5e935a5486d6c5ba83f0911 Mon Sep 17 00:00:00 2001
From: fb1337 <fbressan@cloudflare.com>
Date: Mon, 9 Jun 2025 13:44:41 -0400
Subject: [PATCH 2/2] minor fixes

---
 src/content/docs/waf/change-log/2025-06-09.mdx        | 2 +-
 src/content/docs/waf/change-log/scheduled-changes.mdx | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/content/docs/waf/change-log/2025-06-09.mdx b/src/content/docs/waf/change-log/2025-06-09.mdx
index 1c7c422bbb04e4..483df7a37196b8 100644
--- a/src/content/docs/waf/change-log/2025-06-09.mdx
+++ b/src/content/docs/waf/change-log/2025-06-09.mdx
@@ -63,7 +63,7 @@ These vulnerabilities target widely deployed CMS, ERP, and VoIP systems. RCE fla
 				<RuleID id="4f219ac0be3545a5be5f0bf34df8857a" />
 			</td>
 			<td>100779</td>
-			<td>c</td>
+			<td>Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756</td>
 			<td>Log</td>
 			<td>Block</td>
 			<td>This is a New Detection</td>
diff --git a/src/content/docs/waf/change-log/scheduled-changes.mdx b/src/content/docs/waf/change-log/scheduled-changes.mdx
index b195aca520bac8..bfe80433fe7e0d 100644
--- a/src/content/docs/waf/change-log/scheduled-changes.mdx
+++ b/src/content/docs/waf/change-log/scheduled-changes.mdx
@@ -54,7 +54,7 @@ import { RSSButton, RuleID } from "~/components";
       <td>
         <RuleID id="2672b175a25548aa8e0107b12e1648d2" />
       </td>
-      <td>vBulletin - Remote Code Execution - CVE:cc, CVE:CVE-2025-48828</td>
+      <td>vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>