cloudflare · fb1337 · Sep 8, 2025 · Sep 8, 2025 · Sep 8, 2025 · pedrosousa
@@ -0,0 +1,147 @@
+---
+title: "WAF Release - 2025-09-08"
+description: Cloudflare WAF managed rulesets 2025-09-08 release
+date: 2025-09-08
+---
+
+import { RuleID } from "~/components";
+
+This week's update 
-This week's update 
+**This week's update** 
-This week's update 
+**This week's update** 
+
+This week’s focus highlights newly disclosed vulnerabilities in web frameworks, enterprise applications, and widely deployed CMS plugins. The vulnerabilities include SSRF, authentication bypass, arbitrary file upload, and remote code execution (RCE), exposing organizations to high-impact risks such as unauthorized access, system compromise, and potential data exposure. In addition, security rule enhancements have been deployed to cover general command injection and server-side injection attacks, further strengthening protections.
+
+
+**Key Findings**
+
+* Next.js (CVE-2025-57822): Improper handling of redirects in custom middleware can lead to server-side request forgery (SSRF) when user-supplied headers are forwarded. Attackers could exploit this to access internal services or cloud metadata endpoints. The issue has been resolved in versions 14.2.32 and 15.4.7. Developers using custom middleware should upgrade and verify proper redirect handling in next() calls.
-* Next.js (CVE-2025-57822): Improper handling of redirects in custom middleware can lead to server-side request forgery (SSRF) when user-supplied headers are forwarded. Attackers could exploit this to access internal services or cloud metadata endpoints. The issue has been resolved in versions 14.2.32 and 15.4.7. Developers using custom middleware should upgrade and verify proper redirect handling in next() calls.
+* Next.js (CVE-2025-57822): Improper handling of redirects in custom middleware can lead to server-side request forgery (SSRF) when user-supplied headers are forwarded. Attackers could exploit this to access internal services or cloud metadata endpoints. The issue has been resolved in versions 14.2.32 and 15.4.7. Developers using custom middleware should upgrade and verify proper redirect handling in `next()` calls.
-* Next.js (CVE-2025-57822): Improper handling of redirects in custom middleware can lead to server-side request forgery (SSRF) when user-supplied headers are forwarded. Attackers could exploit this to access internal services or cloud metadata endpoints. The issue has been resolved in versions 14.2.32 and 15.4.7. Developers using custom middleware should upgrade and verify proper redirect handling in next() calls.
+* Next.js (CVE-2025-57822): Improper handling of redirects in custom middleware can lead to server-side request forgery (SSRF) when user-supplied headers are forwarded. Attackers could exploit this to access internal services or cloud metadata endpoints. The issue has been resolved in versions 14.2.32 and 15.4.7. Developers using custom middleware should upgrade and verify proper redirect handling in `next()` calls.
+
+* ScriptCase (CVE-2025-47227,CVE-2025-47228):In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), two vulnerabilities allow attackers to reset admin accounts and execute system commands, potentially leading to full compromise of affected deployments.
-* ScriptCase (CVE-2025-47227,CVE-2025-47228):In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), two vulnerabilities allow attackers to reset admin accounts and execute system commands, potentially leading to full compromise of affected deployments.
+* ScriptCase (CVE-2025-47227, CVE-2025-47228): In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), two vulnerabilities allow attackers to reset admin accounts and execute system commands, potentially leading to full compromise of affected deployments.
-* ScriptCase (CVE-2025-47227,CVE-2025-47228):In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), two vulnerabilities allow attackers to reset admin accounts and execute system commands, potentially leading to full compromise of affected deployments.
+* ScriptCase (CVE-2025-47227, CVE-2025-47228): In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), two vulnerabilities allow attackers to reset admin accounts and execute system commands, potentially leading to full compromise of affected deployments.
+
+* Sar2HTML (CVE-2025-34030): In Sar2HTML version 3.2.2 and prior, insufficient input sanitization of the plot parameter allows remote, unauthenticated attackers to execute arbitrary system commands. Exploitation could compromise the underlying server and its data.
-* Sar2HTML (CVE-2025-34030): In Sar2HTML version 3.2.2 and prior, insufficient input sanitization of the plot parameter allows remote, unauthenticated attackers to execute arbitrary system commands. Exploitation could compromise the underlying server and its data.
+* Sar2HTML (CVE-2025-34030): In Sar2HTML version 3.2.2 and earlier, insufficient input sanitization of the plot parameter allows remote, unauthenticated attackers to execute arbitrary system commands. Exploitation could compromise the underlying server and its data.
-* Sar2HTML (CVE-2025-34030): In Sar2HTML version 3.2.2 and prior, insufficient input sanitization of the plot parameter allows remote, unauthenticated attackers to execute arbitrary system commands. Exploitation could compromise the underlying server and its data.
+* Sar2HTML (CVE-2025-34030): In Sar2HTML version 3.2.2 and earlier, insufficient input sanitization of the plot parameter allows remote, unauthenticated attackers to execute arbitrary system commands. Exploitation could compromise the underlying server and its data.
+
+* Zhiyuan OA (CVE-2025-34040): An arbitrary file upload vulnerability exists in the Zhiyuan OA platform. Improper validation in the wpsAssistServlet interface allows unauthenticated attackers to upload crafted files via path traversal, which can be executed on the web server, leading to remote code execution.
-* Zhiyuan OA (CVE-2025-34040): An arbitrary file upload vulnerability exists in the Zhiyuan OA platform. Improper validation in the wpsAssistServlet interface allows unauthenticated attackers to upload crafted files via path traversal, which can be executed on the web server, leading to remote code execution.
+* Zhiyuan OA (CVE-2025-34040): An arbitrary file upload vulnerability exists in the Zhiyuan OA platform. Improper validation in the `wpsAssistServlet` interface allows unauthenticated attackers to upload crafted files via path traversal, which can be executed on the web server, leading to remote code execution.
-* Zhiyuan OA (CVE-2025-34040): An arbitrary file upload vulnerability exists in the Zhiyuan OA platform. Improper validation in the wpsAssistServlet interface allows unauthenticated attackers to upload crafted files via path traversal, which can be executed on the web server, leading to remote code execution.
+* Zhiyuan OA (CVE-2025-34040): An arbitrary file upload vulnerability exists in the Zhiyuan OA platform. Improper validation in the `wpsAssistServlet` interface allows unauthenticated attackers to upload crafted files via path traversal, which can be executed on the web server, leading to remote code execution.
+
+* WordPress:Plugin:InfiniteWP Client (CVE-2020-8772): A vulnerability in the InfiniteWP Client plugin allows attackers to perform restricted actions and gain administrative control of connected WordPress sites.
+
+
+**Impact**
+
+These vulnerabilities could allow attackers to gain unauthorized access, execute malicious code, or take full control of affected systems. The Next.js, SSRF flaw may expose internal services or cloud metadata endpoints to attackers. Exploitations of ScriptCase & Sar2HTML could result in remote code execution, administrative takeover, and full server compromise. In Zhiyuan OA, the arbitrary file upload vulnerability allows attackers to execute malicious code on the web server, potentially exposing sensitive data and applications. The authentication bypass in WordPress InfiniteWP Client enables attackers to gain administrative access, risking data exposure and unauthorized control of connected sites.
-These vulnerabilities could allow attackers to gain unauthorized access, execute malicious code, or take full control of affected systems. The Next.js, SSRF flaw may expose internal services or cloud metadata endpoints to attackers. Exploitations of ScriptCase & Sar2HTML could result in remote code execution, administrative takeover, and full server compromise. In Zhiyuan OA, the arbitrary file upload vulnerability allows attackers to execute malicious code on the web server, potentially exposing sensitive data and applications. The authentication bypass in WordPress InfiniteWP Client enables attackers to gain administrative access, risking data exposure and unauthorized control of connected sites.
+These vulnerabilities could allow attackers to gain unauthorized access, execute malicious code, or take full control of affected systems. The Next.js SSRF flaw may expose internal services or cloud metadata endpoints to attackers. Exploitations of ScriptCase and Sar2HTML could result in remote code execution, administrative takeover, and full server compromise. In Zhiyuan OA, the arbitrary file upload vulnerability allows attackers to execute malicious code on the web server, potentially exposing sensitive data and applications. The authentication bypass in WordPress InfiniteWP Client enables attackers to gain administrative access, risking data exposure and unauthorized control of connected sites.
-These vulnerabilities could allow attackers to gain unauthorized access, execute malicious code, or take full control of affected systems. The Next.js, SSRF flaw may expose internal services or cloud metadata endpoints to attackers. Exploitations of ScriptCase & Sar2HTML could result in remote code execution, administrative takeover, and full server compromise. In Zhiyuan OA, the arbitrary file upload vulnerability allows attackers to execute malicious code on the web server, potentially exposing sensitive data and applications. The authentication bypass in WordPress InfiniteWP Client enables attackers to gain administrative access, risking data exposure and unauthorized control of connected sites.
+These vulnerabilities could allow attackers to gain unauthorized access, execute malicious code, or take full control of affected systems. The Next.js SSRF flaw may expose internal services or cloud metadata endpoints to attackers. Exploitations of ScriptCase and Sar2HTML could result in remote code execution, administrative takeover, and full server compromise. In Zhiyuan OA, the arbitrary file upload vulnerability allows attackers to execute malicious code on the web server, potentially exposing sensitive data and applications. The authentication bypass in WordPress InfiniteWP Client enables attackers to gain administrative access, risking data exposure and unauthorized control of connected sites.
+
+Administrators are strongly advised to apply vendor patches immediately, remove unsupported software, and review authentication and access controls to mitigate these risks.
+
+
+<table style="width: 100%">
+  <thead>
+    <tr>
+      <th>Ruleset</th>
+      <th>Rule ID</th>
+      <th>Legacy Rule ID</th>
+      <th>Description</th>
+      <th>Previous Action</th>
+      <th>New Action</th>
+      <th>Comments</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="7c5812a31fd94996b3299f7e963d7afc" />
+      </td>
+      <td>100007D</td>
+      <td>Command Injection - Common Attack Commands Args</td>
+      <td>Log</td>
+      <td>Blocked</td>
-      <td>Blocked</td>
+      <td>Block</td>
-      <td>Blocked</td>
+      <td>Block</td>
+      <td>This rule has been merged into the original rule "Command Injection - Common Attack Commands" (ID: <RuleID id="89557ce9b26e4d4dbf29e90c28345b9b" />) for New WAF customers only.</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="cd528243d6824f7ab56182988230a75b" />
+      </td>      
+      <td>100617</td>
+      <td>Next.js - SSRF - CVE:CVE-2025-57822</td>
+      <td>Log</td>
+      <td>Blocked</td>
-      <td>Blocked</td>
+      <td>Block</td>
-      <td>Blocked</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="503b337dac5c409d8f833a6ba22dabf1" />
+      </td>
+      <td>100659_BETA</td>
+      <td>Common Payloads for Server-Side Template Injection - Beta</td>
+      <td>Log</td>
+      <td>Blocked</td>
-      <td>Blocked</td>
+      <td>Block</td>
-      <td>Blocked</td>
+      <td>Block</td>
+      <td>This rule is merged into the original rule "Common Payloads for Server-Side Template Injection" (ID: <RuleID id="21c7a963e1b749e7b1753238a28a42c4" />)</td>
+    </tr>    
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="6d24266148f24f5e9fa487f8b416b7ca" />
+      </td>
+      <td>100824B</td>
+      <td>CrushFTP - Remote Code Execution - CVE:CVE-2025-54309 - 3</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>    
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="154b217c43d04f11a13aeff05db1fa6b" />
+      </td>
+      <td>100848</td>
+      <td>ScriptCase - Auth Bypass - CVE:CVE-2025-47227</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="cad6f1c8c6d44ef59929e6532c62d330" />
+      </td>
+      <td>100849</td>
+      <td>ScriptCase - Command Injection - CVE:CVE-2025-47228</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="e7464139fd3e44938b56716bef971afd" />
+      </td>
+      <td>100872</td>
+      <td>WordPress:Plugin:InfiniteWP Client - Missing Authorization - CVE:CVE-2020-8772</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="0181ebb2cc234f2d863412e1bab19b0b" />
+      </td>
+      <td>100873</td>
+      <td>Sar2HTML - Command Injection - CVE:CVE-2025-34030</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="34d5c7c7b08b40eaad5b2bb3f24c0fbe" />
+      </td>
+      <td>100875</td>
+      <td>Zhiyuan OA - Remote Code Execution - CVE:CVE-2025-34040</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>    
+  </tbody>
+</table>
@@ -1,7 +1,7 @@
 ---
-title: WAF Release - Scheduled changes for 2025-09-08
-description: WAF managed ruleset changes scheduled for 2025-09-08
-date: 2025-09-01
+title: WAF Release - Scheduled changes for 2025-09-15
+description: WAF managed ruleset changes scheduled for 2025-09-15
+date: 2025-09-08
 scheduled: true
 ---
 
@@ -21,103 +21,37 @@ import { RuleID } from "~/components";
   </thead>
   <tbody>
     <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100007D</td>
-      <td>
-        <RuleID id="7c5812a31fd94996b3299f7e963d7afc" />
-      </td>
-      <td>Command Injection - Common Attack Commands Args</td>
-      <td>Beta detection. This will be merged into the original rule "Command Injection - Common Attack Commands" (ID: <RuleID id="89557ce9b26e4d4dbf29e90c28345b9b" />)</td>
-    </tr>
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100617</td>
-      <td>
-        <RuleID id="cd528243d6824f7ab56182988230a75b" />
-      </td>
-      <td>Next.js - SSRF - CVE:CVE-2025-57822</td>
-      <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100659_BETA</td>
-      <td>
-        <RuleID id="503b337dac5c409d8f833a6ba22dabf1" />
-      </td>
-      <td>Common Payloads for Server-Side Template Injection - Beta</td>
-      <td>Beta detection. This will be merged into the original rule "Common Payloads for Server-Side Template Injection" (ID: <RuleID id="21c7a963e1b749e7b1753238a28a42c4" />)</td>
-    </tr>    
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100824B</td>
-      <td>
-        <RuleID id="6d24266148f24f5e9fa487f8b416b7ca" />
-      </td>
-      <td>CrushFTP - Remote Code Execution - CVE:CVE-2025-54309 - 3</td>
-      <td>This is a New Detection</td>
-    </tr>    
-    <tr>
-      <td>2025-09-01</td>
       <td>2025-09-08</td>
+      <td>2025-09-15</td>
       <td>Log</td>
-      <td>100848</td>
+      <td>100646</td>
       <td>
-        <RuleID id="154b217c43d04f11a13aeff05db1fa6b" />
+        <RuleID id="199cce9ab21e40bcb535f01b2ee2085f" />
       </td>
-      <td>ScriptCase - Auth Bypass - CVE:CVE-2025-47227</td>
+      <td>Argo CD - Information Disclosure - CVE:CVE-2025-55190</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-09-01</td>
       <td>2025-09-08</td>
+      <td>2025-09-15</td>
       <td>Log</td>
-      <td>100849</td>
+      <td>100874</td>
       <td>
-        <RuleID id="cad6f1c8c6d44ef59929e6532c62d330" />
+        <RuleID id="e513bb21b6a44f9cbfcd2462f5e20788" />
       </td>
-      <td>ScriptCase - Command Injection - CVE:CVE-2025-47228</td>
+      <td>DataEase - JNDI injection - CVE:CVE-2025-57773</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
       <td>2025-09-01</td>
       <td>2025-09-08</td>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
+      <td>2025-09-08</td>
+      <td>2025-09-15</td>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
+      <td>2025-09-08</td>
+      <td>2025-09-15</td>
       <td>Log</td>
-      <td>100872</td>
+      <td>100880</td>
       <td>
-        <RuleID id="e7464139fd3e44938b56716bef971afd" />
+        <RuleID id="be097f5a71a04f27aa87b60d005a12fd" />
       </td>
-      <td>WordPress:Plugin:InfiniteWP Client - Missing Authorization - CVE:CVE-2020-8772</td>
+      <td>Sitecore - Information Disclosure - CVE:CVE-2025-53694</td>
       <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100873</td>
-      <td>
-        <RuleID id="0181ebb2cc234f2d863412e1bab19b0b" />
-      </td>
-      <td>Sar2HTML - Command Injection - CVE:CVE-2025-34030</td>
-      <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100875</td>
-      <td>
-        <RuleID id="34d5c7c7b08b40eaad5b2bb3f24c0fbe" />
-      </td>
-      <td>Zhiyuan OA - Remote Code Execution - CVE:CVE-2025-34040</td>
-      <td>This is a New Detection</td>
-    </tr>
+    </tr>    
   </tbody>
 </table>