Cloudflare changelogs | Application security
Cloudflare changelogs for Application security products
马上订阅 Cloudflare changelogs | Application security RSS 更新: https://developers.cloudflare.com/changelog/rss/application-security.xml
WAF - WAF Release - 2025-09-24 - Emergency
2025年9月24日 08:00
WAF
This week highlights a critical vendor-specific vulnerability: a deserialization flaw in the License Servlet of Fortra’s GoAnywhere MFT. By forging a license response signature, an attacker can trigger deserialization of arbitrary objects, potentially leading to command injection.
Key Findings
- GoAnywhere MFT (CVE-2025-10035): Deserialization vulnerability in the License Servlet that allows attackers with a forged license response signature to deserialize arbitrary objects, potentially resulting in command injection.
Impact
GoAnywhere MFT (CVE-2025-10035): Exploitation enables attackers to escalate privileges or achieve remote code execution via command injection.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | 8fe242c7c0d64d689f4fc9a1e08b39f3 | 100787 | Fortra GoAnywhere - Auth Bypass - CVE:CVE-2025-10035 | N/A | Block | This is a New Detection |