From cc856906bcc2b102b7cb11596a3987cdd49ec192 Mon Sep 17 00:00:00 2001 From: fb1337 Date: Mon, 16 Jun 2025 13:58:05 -0400 Subject: [PATCH 1/2] Release June 16th - 2025 --- .../docs/waf/change-log/2025-06-16.mdx | 131 ++++++++++++++++++ .../docs/waf/change-log/scheduled-changes.mdx | 91 +----------- src/content/release-notes/waf.yaml | 7 +- 3 files changed, 143 insertions(+), 86 deletions(-) create mode 100644 src/content/docs/waf/change-log/2025-06-16.mdx diff --git a/src/content/docs/waf/change-log/2025-06-16.mdx b/src/content/docs/waf/change-log/2025-06-16.mdx new file mode 100644 index 00000000000000..2d73b677b0e7e6 --- /dev/null +++ b/src/content/docs/waf/change-log/2025-06-16.mdx @@ -0,0 +1,131 @@ +--- +title: "2025-06-16" +type: table +pcx_content_type: release-notes +sidebar: + order: 785 +tableOfContents: false +--- + +import { RuleID } from "~/components"; + +This week’s roundup highlights multiple critical vulnerabilities across popular web frameworks, plugins, and enterprise platforms. The focus lies on remote code execution (RCE), server-side request forgery (SSRF), and insecure file upload vectors that enable full system compromise or data exfiltration. + +**Key Findings** + +- Cisco IOS XE (CVE-2025-20188): Critical RCE vulnerability enabling unauthenticated attackers to execute arbitrary commands on network infrastructure devices, risking total router compromise. +- Axios (CVE-2024-39338): SSRF flaw impacting server-side request control, allowing attackers to manipulate internal service requests when misconfigured with unsanitized user input. +- vBulletin (CVE-2025-48827, CVE-2025-48828): Two high-impact RCE flaws enabling attackers to remotely execute PHP code, compromising forum installations and underlying web servers. +- Invision Community (CVE-2025-47916): A critical RCE vulnerability allowing authenticated attackers to run arbitrary code in community platforms, threatening data and lateral movement risk. +- CrushFTP (CVE-2025-32102, CVE-2025-32103): SSRF vulnerabilities in upload endpoint processing permit attackers to pivot internal network scans and abuse internal services. +- Roundcube (CVE-2025-49113): RCE via email processing enables attackers to execute code upon viewing a crafted email—particularly dangerous for webmail deployments. +- WooCommerce WordPress Plugin (CVE-2025-47577): Dangerous file upload vulnerability permits unauthenticated users to upload executable payloads, leading to full WordPress site takeover. +- Cross-Site Scripting (XSS) Detection Improvements: Enhanced detection patterns. + +**Impact** + +These vulnerabilities span core systems — from routers to e-commerce to email. RCE in Cisco IOS XE, Roundcube, and vBulletin poses full system compromise. SSRF in Axios and CrushFTP supports internal pivoting, while WooCommerce’s file upload bug opens doors to mass WordPress exploitation. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
Cloudflare Managed Ruleset + + 100783Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188LogBlockThis is a New Detection
Cloudflare Managed Ruleset + + 100784Axios - SSRF - CVE:CVE-2024-39338LogBlockThis is a New Detection
Cloudflare Managed Ruleset + + 100785vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828LogBlockThis is a New Detection
Cloudflare Managed Ruleset + + 100786Invision Community - Remote Code Execution - CVE:CVE-2025-47916LogBlockThis is a New Detection
Cloudflare Managed Ruleset + + 100791CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103LogBlockThis is a New Detection
Cloudflare Managed Ruleset + + 100792Roundcube - Remote Code Execution - CVE:CVE-2025-49113LogBlockThis is a New Detection
Cloudflare Managed Ruleset + + 100793XSS - OntoggleLogDisabledThis is a New Detection
Cloudflare Managed Ruleset + + 100794WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577LogBlockThis is a New Detection
\ No newline at end of file diff --git a/src/content/docs/waf/change-log/scheduled-changes.mdx b/src/content/docs/waf/change-log/scheduled-changes.mdx index bfe80433fe7e0d..0a60a177a8bace 100644 --- a/src/content/docs/waf/change-log/scheduled-changes.mdx +++ b/src/content/docs/waf/change-log/scheduled-changes.mdx @@ -25,92 +25,15 @@ import { RSSButton, RuleID } from "~/components"; - 2025-06-09 - 2025-06-16 - Log - 100783 + + + + - + - Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188 - This is a New Detection - - - 2025-06-09 - 2025-06-16 - Log - 100784 - - - - Axios - SSRF - CVE:CVE-2024-39338 - This is a New Detection - - - 2025-06-09 - 2025-06-16 - Log - 100785 - - - - vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828 - This is a New Detection - - - 2025-06-09 - 2025-06-16 - Log - 100786 - - - - Invision Community - Remote Code Execution - CVE:CVE-2025-47916 - This is a New Detection - - - 2025-06-09 - 2025-06-16 - Log - 100791 - - - - CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103 - This is a New Detection - - - 2025-06-09 - 2025-06-16 - Log - 100792 - - - - Roundcube - Remote Code Execution - CVE:CVE-2025-49113 - This is a New Detection - - - 2025-06-09 - 2025-06-16 - Log - 100793 - - - - XSS - Ontoggle - This is a New Detection - - - 2025-06-09 - 2025-06-16 - Log - 100794 - - - - WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577 - This is a New Detection + + \ No newline at end of file diff --git a/src/content/release-notes/waf.yaml b/src/content/release-notes/waf.yaml index 3e59efdcffdce1..383b4191326eb6 100644 --- a/src/content/release-notes/waf.yaml +++ b/src/content/release-notes/waf.yaml @@ -5,11 +5,14 @@ productLink: "/waf/" productArea: Application security productAreaLink: /fundamentals/reference/changelog/security/ entries: - - publish_date: "2025-06-09" - scheduled_date: "2025-06-16" + - publish_date: "2025-06-16" + scheduled_date: "2025-06-23" individual_page: true scheduled: true link: "/waf/change-log/scheduled-changes/" + - publish_date: "2025-06-16" + individual_page: true + link: "/waf/change-log/2025-06-16/" - publish_date: "2025-06-09" individual_page: true link: "/waf/change-log/2025-06-09/" From 511b1cd70e8548d37b6e2a420a4a04d0a6c3a155 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 17 Jun 2025 09:30:28 +0100 Subject: [PATCH 2/2] Apply suggestions from PCX review --- src/content/docs/waf/change-log/2025-06-16.mdx | 2 +- .../docs/waf/change-log/scheduled-changes.mdx | 14 +++++++------- src/content/release-notes/waf.yaml | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/content/docs/waf/change-log/2025-06-16.mdx b/src/content/docs/waf/change-log/2025-06-16.mdx index 2d73b677b0e7e6..48ce283ce65224 100644 --- a/src/content/docs/waf/change-log/2025-06-16.mdx +++ b/src/content/docs/waf/change-log/2025-06-16.mdx @@ -18,7 +18,7 @@ This week’s roundup highlights multiple critical vulnerabilities across popula - vBulletin (CVE-2025-48827, CVE-2025-48828): Two high-impact RCE flaws enabling attackers to remotely execute PHP code, compromising forum installations and underlying web servers. - Invision Community (CVE-2025-47916): A critical RCE vulnerability allowing authenticated attackers to run arbitrary code in community platforms, threatening data and lateral movement risk. - CrushFTP (CVE-2025-32102, CVE-2025-32103): SSRF vulnerabilities in upload endpoint processing permit attackers to pivot internal network scans and abuse internal services. -- Roundcube (CVE-2025-49113): RCE via email processing enables attackers to execute code upon viewing a crafted email—particularly dangerous for webmail deployments. +- Roundcube (CVE-2025-49113): RCE via email processing enables attackers to execute code upon viewing a crafted email — particularly dangerous for webmail deployments. - WooCommerce WordPress Plugin (CVE-2025-47577): Dangerous file upload vulnerability permits unauthenticated users to upload executable payloads, leading to full WordPress site takeover. - Cross-Site Scripting (XSS) Detection Improvements: Enhanced detection patterns. diff --git a/src/content/docs/waf/change-log/scheduled-changes.mdx b/src/content/docs/waf/change-log/scheduled-changes.mdx index 0a60a177a8bace..ddd57c942fbb69 100644 --- a/src/content/docs/waf/change-log/scheduled-changes.mdx +++ b/src/content/docs/waf/change-log/scheduled-changes.mdx @@ -25,15 +25,15 @@ import { RSSButton, RuleID } from "~/components"; - - - - + N/A + N/A + N/A + N/A - + N/A - - + N/A + N/A \ No newline at end of file diff --git a/src/content/release-notes/waf.yaml b/src/content/release-notes/waf.yaml index 383b4191326eb6..31cb8b5f3aa640 100644 --- a/src/content/release-notes/waf.yaml +++ b/src/content/release-notes/waf.yaml @@ -5,8 +5,8 @@ productLink: "/waf/" productArea: Application security productAreaLink: /fundamentals/reference/changelog/security/ entries: - - publish_date: "2025-06-16" - scheduled_date: "2025-06-23" + - publish_date: "2025-06-09" + scheduled_date: "2025-06-16" individual_page: true scheduled: true link: "/waf/change-log/scheduled-changes/"