[WAF] Release June 02-2025 (cloudflare#22834)

fb1337 · pedrosousa · sdnts · commit 1fdcd79ff2a8 · 2025-07-24T16:06:01.000-04:00
---------

Co-authored-by: Pedro Sousa &lt;680496+pedrosousa@users.noreply.github.com&gt;
diff --git a/src/content/docs/waf/change-log/2025-06-02.mdx b/src/content/docs/waf/change-log/2025-06-02.mdx
@@ -0,0 +1,117 @@
+---
+title: "2025-06-02"
+type: table
+pcx_content_type: release-notes
+sidebar:
+  order: 787
+tableOfContents: false
+---
+
+import { RuleID } from "~/components";
+
+This week’s roundup highlights five high-risk vulnerabilities affecting SD-WAN, load balancers, and AI platforms. Several flaws enable unauthenticated remote code execution or authentication bypass.
+
+**Key Findings**
+
+- Versa Concerto SD-WAN (CVE-2025-34026, CVE-2025-34027): Authentication bypass vulnerabilities allow attackers to gain unauthorized access to SD-WAN management interfaces, compromising network segmentation and control.
+- Kemp LoadMaster (CVE-2024-7591): Remote Code Execution vulnerability enables attackers to execute arbitrary commands, potentially leading to full device compromise within enterprise load balancing environments.
+- AnythingLLM (CVE-2024-0759): Server-Side Request Forgery (SSRF) flaw allows external attackers to force the LLM backend to make unauthorized internal network requests, potentially exposing sensitive internal resources.
+- Anyscale Ray (CVE-2023-48022): Remote Code Execution vulnerability affecting distributed AI workloads, allowing attackers to execute arbitrary code on Ray cluster nodes.
+- Server-Side Request Forgery (SSRF) - Generic & Obfuscated Payloads: Ongoing advancements in SSRF payload techniques observed, including obfuscation and expanded targeting of cloud metadata services and internal IP ranges.
+
+**Impact**
+
+These vulnerabilities expose critical infrastructure across networking, AI platforms, and SaaS integrations. Unauthenticated RCE and auth bypass flaws in Versa Concerto, Kemp LoadMaster, and Anyscale Ray allow full system compromise. AnythingLLM and SSRF payload variants expand attack surfaces into internal cloud resources, sensitive APIs, and metadata services, increasing risk of privilege escalation, data theft, and persistent access.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="752cfb5e6f9c46f0953c742139b52f02" />
+			</td>
+			<td>100764</td>
+			<td>Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34027</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="a01171de18034901b48a5549a34edb97" />
+			</td>
+			<td>100765</td>
+			<td>Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34026</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="840b35492a7543c18ffe50fc0d99b2db" />
+			</td>
+			<td>100766</td>
+			<td>Kemp LoadMaster - Remote Code Execution - CVE:CVE-2024-7591</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="121b7070de3a459dbe80d7ed95aa3a4f" />
+			</td>
+			<td>100767</td>
+			<td>AnythingLLM - SSRF - CVE:CVE-2024-0759</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="215417f989e2485a9c50eca0840a0966" />
+			</td>
+			<td>100768</td>
+			<td>Anyscale Ray - Remote Code Execution - CVE:CVE-2023-48022</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="3ed619a17d4141bda3a8c3869d16ee18" />
+			</td>
+			<td>100781</td>
+			<td>SSRF - Generic Payloads</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="7ce73f6a70be49f8944737465c963d9d" />
+			</td>
+			<td>100782</td>
+			<td>SSRF - Obfuscated Payloads</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+	</tbody>
+</table>
diff --git a/src/content/docs/waf/change-log/scheduled-changes.mdx b/src/content/docs/waf/change-log/scheduled-changes.mdx
@@ -25,58 +25,47 @@ import { RSSButton, RuleID } from "~/components";
   </thead>
   <tbody>
     <tr>
-      <td>2025-05-27</td>
       <td>2025-06-02</td>
+      <td>2025-06-09</td>
       <td>Log</td>
-      <td>100764</td>
+      <td>100769</td>
       <td>
-        <RuleID id="752cfb5e6f9c46f0953c742139b52f02" />
+        <RuleID id="4afd50a3ef1948bba87c4e620debd86e" />
       </td>
-      <td>Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34027</td>
+      <td>WordPress OttoKit Plugin - Privilege Escalation - CVE:CVE-2025-27007</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-27</td>
       <td>2025-06-02</td>
+      <td>2025-06-09</td>
       <td>Log</td>
-      <td>100765</td>
+      <td>100770</td>
       <td>
-        <RuleID id="a01171de18034901b48a5549a34edb97" />
+        <RuleID id="24134c41c3e940daa973b4b95f57b448" />
       </td>
-      <td>Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34026</td>
+      <td>SAP NetWeaver - Remote Code Execution - CVE:CVE-2025-42999</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-27</td>
       <td>2025-06-02</td>
+      <td>2025-06-09</td>
       <td>Log</td>
-      <td>100766</td>
+      <td>100779</td>
       <td>
-        <RuleID id="840b35492a7543c18ffe50fc0d99b2db" />
+        <RuleID id="4f219ac0be3545a5be5f0bf34df8857a" />
       </td>
-      <td>Kemp LoadMaster - Remote Code Execution - CVE:CVE-2024-7591</td>
+      <td>Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-27</td>
       <td>2025-06-02</td>
+      <td>2025-06-09</td>
       <td>Log</td>
-      <td>100767</td>
+      <td>100780</td>
       <td>
-        <RuleID id="121b7070de3a459dbe80d7ed95aa3a4f" />
+        <RuleID id="bc8dfbe8cbac4c039725ec743b840107" />
       </td>
-      <td>AnythingLLM - SSRF - CVE:CVE-2024-0759</td>
-      <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-05-27</td>
-      <td>2025-06-02</td>
-      <td>Log</td>
-      <td>100768</td>
-      <td>
-        <RuleID id="215417f989e2485a9c50eca0840a0966" />
-      </td>
-      <td>Anyscale Ray - Remote Code Execution - CVE:CVE-2023-48022</td>
+      <td>Camaleon CMS - Remote Code Execution - CVE:CVE-2024-46986</td>
       <td>This is a New Detection</td>
     </tr>
   </tbody>
diff --git a/src/content/release-notes/waf.yaml b/src/content/release-notes/waf.yaml
@@ -5,11 +5,14 @@ productLink: "/waf/"
 productArea: Application security
 productAreaLink: /fundamentals/reference/changelog/security/
 entries:
-  - publish_date: "2025-05-27"
-    scheduled_date: "2025-06-02"
+  - publish_date: "2025-06-02"
+    scheduled_date: "2025-06-09"
     individual_page: true
     scheduled: true
     link: "/waf/change-log/scheduled-changes/"
+  - publish_date: "2025-06-02"
+    individual_page: true
+    link: "/waf/change-log/2025-06-02/"
   - publish_date: "2025-05-27"
     individual_page: true
     link: "/waf/change-log/2025-05-27/"
