C

Cloudflare changelogs | Application security

Cloudflare changelogs for Application security products

https://developers.cloudflare.com/changelog/
https://developers.cloudflare.com/changelog/rss/application-security.xml (RSS订阅地址)

Security Center - New Application Security reports (Closed Beta)

Cloudflare's new Application Security report, currently in Closed Beta, is now available in the dashboard. Go to Security reports The reports are generated monthly and provide cyber security insights trends for all of the Enterprise zones in your Cloudflare account. The reports also include an industry benchmark, comparing your cyber security landscape to peers in your industry. Learn more about the reports by referring to the Security Reports documentation. Use the feedback survey link at the top of the page to help us improve the reports.

2025/10/17
articleCard.readMore

WAF - New detections released for WAF managed rulesets

This week we introduced several new detections across Cloudflare Managed Rulesets, expanding coverage for high-impact vulnerability classes such as SSRF, SQLi, SSTI, Reverse Shell attempts, and Prototype Pollution. These rules aim to improve protection against attacker-controlled payloads that exploit misconfigurations or unvalidated input in web applications. Key Findings New detections added for multiple exploit categories: SSRF (Server-Side Request Forgery) — new rules targeting both local and cloud metadata abuse patterns (Beta). SQL Injection (SQLi) — rules for common patterns, sleep/time-based injections, and string/wait function exploitation across headers and URIs. SSTI (Server-Side Template Injection) — arithmetic-based probe detections introduced across URI, header, and body fields. Reverse Shell and XXE payloads — enhanced heuristics for command execution and XML external entity misuse. Prototype Pollution — new Beta rule identifying common JSON payload structures used in object prototype poisoning. PHP Wrapper Injection and HTTP Parameter Pollution detections — to catch path traversal and multi-parameter manipulation attempts. Anomaly Header Checks — detecting CRLF injection attempts in header names. Impact These updates help detect multi-vector payloads that blend SSRF + RCE or SQLi + SSTI attacks, especially in cloud-hosted applications with exposed metadata endpoints or unsafe template rendering. Prototype Pollution and HTTP parameter pollution rules address emerging JavaScript supply-chain exploitation patterns increasingly seen in real-world incidents. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset72f0ff933fb0492eb71cda50589f2a1d N/AAnomaly:Header - name - CR, LFN/ADisabledThis is a New Detection Cloudflare Managed Ruleset5d0377e4435f467488614170132fab7e N/AGeneric Rules - Reverse Shell - BodyN/ADisabledThis is a New Detection Cloudflare Managed Ruleset54e32f7f802c4a699182e8921a027008 N/AGeneric Rules - Reverse Shell - HeaderN/ADisabledThis is a New Detection Cloudflare Managed Ruleset7cbda8dbafbc465d9b64a8f2958d0486 N/AGeneric Rules - Reverse Shell - URIN/ADisabledThis is a New Detection Cloudflare Managed Rulesetb9f3420674cf481da32333dc8e0cf7ad N/AGeneric Rules - XXE - BodyN/ADisabledThis is a New Detection Cloudflare Managed Rulesetad55483512f0440b81426acdbf8aab5e N/AGeneric Rules - SQLi - Common Patterns - Header URIN/ADisabledThis is a New Detection Cloudflare Managed Ruleset849c0618d1674f1c92ba6f9b2e466337 N/AGeneric Rules - SQLi - Sleep Function - Header URIN/ADisabledThis is a New Detection Cloudflare Managed Ruleset1b4db4c4bd0649c095c27c6cb686ab47 N/AGeneric Rules - SQLi - String Function - Header URIN/ADisabledThis is a New Detection Cloudflare Managed Rulesetfa2055b84af94ba4b925f834b0633709 N/AGeneric Rules - SQLi - WaitFor Function - Header URIN/ADisabledThis is a New Detection Cloudflare Managed Ruleset158177dec2504acdba1f2da201a076eb N/ASSRF - Local - BetaN/ADisabledThis is a New Detection Cloudflare Managed Ruleset98bfd6bb46074d5b8d1c4b39743a63ec N/ASSRF - Local - 2 - BetaN/ADisabledThis is a New Detection Cloudflare Managed Ruleset54e1733b10da4a599e06c6fbc2e84e2d N/ASSRF - Cloud - BetaN/ADisabledThis is a New Detection Cloudflare Managed Rulesetecd26d61a75e46f6a4449a06ab8af26f N/ASSRF - Cloud - 2 - BetaN/ADisabledThis is a New Detection Cloudflare Managed Rulesetc16f4e133c4541f293142d02e6e8dc5b N/ASSTI - Arithmetic Probe - URIN/ADisabledThis is a New Detection Cloudflare Managed Rulesetf4fd9904e7624666b8c49cd62550d794 N/ASSTI - Arithmetic Probe - HeaderN/ADisabledThis is a New Detection Cloudflare Managed Ruleset5c0875604f774c36a4f9b69c659d12a6 N/ASSTI - Arithmetic Probe - BodyN/ADisabledThis is a New Detection Cloudflare Managed Rulesetfae6fa37ae9249d58628e54b1a3e521e N/APHP Wrapper InjectionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset9c02e585db34440da620eb668f76bd74 N/APHP Wrapper InjectionN/ADisabledThis is a New Detection Cloudflare Managed Rulesetcb67fe56a84747b8b64277dc091e296d N/AHTTP parameter pollutionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset443b54d984944cd69043805ee34214ef N/APrototype Pollution - Common Payloads - BetaN/ADisabledThis is a New Detection

2025/10/17
articleCard.readMore

WAF - WAF Release - 2025-10-13

This week’s highlights include a new JinJava rule targeting a sandbox-bypass flaw that could allow malicious template input to escape execution controls. The rule improves detection for unsafe template rendering paths. Key Findings New WAF rule deployed for JinJava (CVE-2025-59340) to block a sandbox bypass in the template engine that permits attacker-controlled type construction and arbitrary class instantiation; in vulnerable environments this can escalate to remote code execution and full server compromise. Impact CVE-2025-59340 — Exploitation enables attacker-supplied type descriptors / Jackson ObjectMapper abuse, allowing arbitrary class loading, file/URL access (LFI/SSRF primitives) and, with suitable gadget chains, potential remote code execution and system compromise. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetb327d6442e2d4848b4aab3cbc04bab5f 100892JinJava - SSTI - CVE:CVE-2025-59340LogBlockThis is a New Detection

2025/10/13
articleCard.readMore

WAF - WAF Release - Scheduled changes for 2025-10-20

Announcement DateRelease DateRelease BehaviorLegacy Rule IDRule IDDescriptionComments 2025-10-132025-10-20Log100598A933fc13202cd4e8ba498c0f32b4101ab Remote Code Execution - Common Bash Bypass - BetaThis rule is merged into the original rule "Remote Code Execution - Common Bash Bypass" (ID: f8238867ed3e4d3a9a7b731a50cec478 ) 2025-10-132025-10-20Log100916A185b5df42d1e44e0aeb8f8b8a1118614 Oracle E-Business Suite - Remote Code Execution - CVE:CVE-2025-61882 - 2This is a New Detection

2025/10/13
articleCard.readMore

WAF - WAF Release - 2025-10-07 - Emergency

This week highlights multiple critical Cisco vulnerabilities (CVE-2025-20363, CVE-2025-20333, CVE-2025-20362). This flaw stems from improper input validation in HTTP(S) requests. An authenticated VPN user could send crafted requests to execute code as root, potentially compromising the device. The initial two rules were made available on September 28, with a third rule added today, October 7, for more robust protection. Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Multiple vulnerabilities that could allow attackers to exploit unsafe deserialization and input validation flaws. Successful exploitation may result in arbitrary code execution, privilege escalation, or command injection on affected systems. Impact Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Exploitation enables attackers to escalate privileges or achieve remote code execution via command injection. Administrators are strongly advised to apply vendor updates immediately. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset12f808a5315441688f3b7c8a3a4d1bd6 100788BCisco Secure Firewall Adaptive Security Appliance - Remote Code Execution - CVE:CVE-2025-20333, CVE:CVE-2025-20362, CVE:CVE-2025-20363N/ABlockThis is a New Detection

2025/10/7
articleCard.readMore

WAF - WAF Release - 2025-10-06

This week’s highlights prioritise an emergency Oracle E-Business Suite RCE rule deployed to block active, high-impact exploitation. Also addressed are high-severity Chaos Mesh controller command-injection flaws that enable unauthenticated in-cluster RCE and potential cluster compromise, plus a form-data multipart boundary issue that permits HTTP Parameter Pollution (HPP). Two new generic SQLi detections were added to catch inline-comment obfuscation and information disclosure techniques. Key Findings New emergency rule released for Oracle E-Business Suite (CVE-2025-61882) addressing an actively exploited remote code execution vulnerability in core business application modules. Immediate mitigation deployed to protect enterprise workloads. Chaos Mesh (CVE-2025-59358,CVE-2025-59359,CVE-2025-59360,CVE-2025-59361): A GraphQL debug endpoint on the Chaos Controller Manager is exposed without authentication; several controller mutations (cleanTcs, killProcesses, cleanIptables) are vulnerable to OS command injection. Form-Data (CVE-2025-7783): Attackers who can observe Math.random() outputs and control request fields in form-data may exploit this flaw to perform HTTP parameter pollution, leading to request tampering or data manipulation. Two new generic SQLi detections added to enhance baseline coverage against inline-comment obfuscation and information disclosure attempts. Impact CVE-2025-61882 — Oracle E-Business Suite remote code execution (emergency detection): attacker-controlled input can yield full system compromise, data exfiltration, and operational outage; immediate blocking enforced. CVE-2025-59358 / CVE-2025-59359 / CVE-2025-59360 / CVE-2025-59361 — Unauthenticated command-injection in Chaos Mesh controllers allowing remote code execution, cluster compromise, and service disruption (high availability risk). CVE-2025-7783 — Predictable multipart boundaries in form-data enabling HTTP Parameter Pollution; results include request tampering, parameter overwrite, and downstream data integrity loss. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset0c9bf31ab6fa41fc8f12daaf8650f52f 100882Chaos Mesh - Missing Authentication - CVE:CVE-2025-59358LogDisabledThis is a New Detection Cloudflare Managed Ruleset5d459ed434ed446c9580c73c2b8c3680 100883Chaos Mesh - Command Injection - CVE:CVE-2025-59359LogBlockThis is a New Detection Cloudflare Managed Ruleseta2591ba5befa4815a6861aefef859a04 100884Chaos Mesh - Command Injection - CVE:CVE-2025-59361LogBlockThis is a New Detection Cloudflare Managed Ruleset05eea4fabf6f4cf3aac1094b961f26a7 100886Form-Data - Parameter Pollution - CVE:CVE-2025-7783LogBlockThis is a New Detection Cloudflare Managed Ruleset90514c7810694b188f56979826a4074c 100888Chaos Mesh - Command Injection - CVE:CVE-2025-59360LogBlockThis is a New Detection Cloudflare Managed Ruleset42fbc8c09ec84578b9633ffc31101b2f 100916Oracle E-Business Suite - Remote Code Execution - CVE:CVE-2025-61882N/ABlockThis is a New Detection Cloudflare Managed Rulesetbadc687a3ba3420a844220b129aa43c3 100917Generic Rules - SQLi - Inline Comment InjectionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset28fa27511f29428899ceb5a273c10b6f 100918Generic Rules - SQLi - Information DisclosureN/ADisabledThis is a New Detection

2025/10/6
articleCard.readMore

WAF - WAF Release - 2025-10-03

Managed Ruleset Updated This update introduces 21 new detections in the Cloudflare Managed Ruleset (all currently set to Disabled mode to preserve remediation logic and allow quick activation if needed). The rules cover a broad spectrum of threats - SQL injection techniques, command and code injection, information disclosure of common files, URL anomalies, and cross-site scripting. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset0d02c2fb14eb4cec9c2e2b58d61fac74 100902Generic Rules - Command Execution - 2N/ADisabledThis is a New Detection Cloudflare Managed Rulesetc3079865ce9a41368657026b514aeeb8 100908Generic Rules - Command Execution - 3N/ADisabledThis is a New Detection Cloudflare Managed Ruleset107ae2922b654bb28df7ca978d46a6f4 100910Generic Rules - Command Execution - 4N/ADisabledThis is a New Detection Cloudflare Managed Ruleset68bdb75ae6d24e139a83e5731bd0a329 100915Generic Rules - Command Execution - 5N/ADisabledThis is a New Detection Cloudflare Managed Rulesetea04bb580f7d400386c7dc1d5e51450a 100899Generic Rules - Content-Type AbuseN/ADisabledThis is a New Detection Cloudflare Managed Ruleset233364f656ff42b8acc41dcd7996012f 100914Generic Rules - Content-Type InjectionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset1aa695281c954513be3d003b93209312 100911Generic Rules - Cookie Header InjectionN/ADisabledThis is a New Detection Cloudflare Managed Rulesetd9f9e4f5bf11489da52dccb40f373b3f 100905Generic Rules - NoSQL InjectionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset5a1897b714e044a887c0f3f078a0ed04 100913Generic Rules - NoSQL Injection - 2N/ADisabledThis is a New Detection Cloudflare Managed Ruleset4d6fd28df4f1494e95e70d2c5d649624 100907Generic Rules - Parameter PollutionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset61181e3af5304f7396c7d01cfd1c674e 100906Generic Rules - PHP Object InjectionN/ADisabledThis is a New Detection Cloudflare Managed Ruleseted5190bfbe1b45a6a645126334c88168 100904Generic Rules - Prototype PollutionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset3ec33bc5ac77495a9f55020e3ab43f7e 100897Generic Rules - Prototype Pollution 2N/ADisabledThis is a New Detection Cloudflare Managed Rulesetc6d752c4909e4b7e8eff6c780d94ee22 100903Generic Rules - Reverse ShellN/ADisabledThis is a New Detection Cloudflare Managed Rulesetcaf37e7800bb4635bcc2eefcd5add8e3 100909Generic Rules - Reverse Shell - 2N/ADisabledThis is a New Detection Cloudflare Managed Ruleset475d090baead467c88dfabbb565c78b0 100898Generic Rules - SSJI NoSQLN/ADisabledThis is a New Detection Cloudflare Managed Rulesetf4c7f98934264c9c937eec1212b837a0 100896Generic Rules - SSRFN/ADisabledThis is a New Detection Cloudflare Managed Rulesetefd01b814d144e90b36522b311c4fb00 100895Generic Rules - Template InjectionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset00a9a0d663da4add95b863abd3ed0123 100895AGeneric Rules - Template Injection - 2N/ADisabledThis is a New Detection Cloudflare Managed Rulesete58c0fffee4f4374bd37f2577501a1d9 100912Generic Rules - XXEN/ADisabledThis is a New Detection Cloudflare Managed Rulesetab09ba8d00eb4cdbb7a6a65ddc55cdb6 100900Relative Paths - Anomaly HeadersN/ADisabledThis is a New Detection

2025/10/3
articleCard.readMore

WAF - WAF Release - 2025-09-29

This week highlights four important vendor- and component-specific issues: an authentication bypass in SimpleHelp (CVE-2024-57727), an information-disclosure flaw in Flowise Cloud (CVE-2025-58434), an SSRF in the WordPress plugin Ditty (CVE-2025-8085), and a directory-traversal bug in Vite (CVE-2025-30208). These are paired with improvements to our generic detection coverage (SQLi, SSRF) to raise the baseline and reduce noisy gaps. Key Findings SimpleHelp (CVE-2024-57727): Authentication bypass in SimpleHelp that can allow unauthorized access to management interfaces or sessions. Flowise Cloud (CVE-2025-58434): Information-disclosure vulnerability in Flowise Cloud that may expose sensitive configuration or user data to unauthenticated or low-privileged actors. WordPress:Plugin: Ditty (CVE-2025-8085): SSRF in the Ditty WordPress plugin enabling server-side requests that could reach internal services or cloud metadata endpoints. Vite (CVE-2025-30208): Directory-traversal vulnerability in Vite allowing access to filesystem paths outside the intended web root. Impact These vulnerabilities allow attackers to gain access, escalate privileges, or execute actions that were previously unavailable: SimpleHelp (CVE-2024-57727): An authentication bypass that can let unauthenticated attackers access management interfaces or hijack sessions — enabling lateral movement, credential theft, or privilege escalation within affected environments. Flowise Cloud (CVE-2025-58434): Information-disclosure flaw that can expose sensitive configuration, tokens, or user data; leaked secrets may be chained into account takeover or privileged access to backend services. WordPress:Plugin: Ditty (CVE-2025-8085): SSRF that enables server-side requests to internal services or cloud metadata endpoints, potentially allowing attackers to retrieve credentials or reach otherwise inaccessible infrastructure, leading to privilege escalation or cloud resource compromise. Vite (CVE-2025-30208): Directory-traversal vulnerability that can expose filesystem contents outside the web root (configuration files, keys, source code), which attackers can use to escalate privileges or further compromise systems. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset6fe90532af50427484a5275c8c2e30fb 100717SimpleHelp - Auth Bypass - CVE:CVE-2024-57727LogBlockThis rule is merged to 100717 in legacy WAF and 498fcd81a62a4b5ca943e2de958094d3 in new WAF Cloudflare Managed Ruleset013ef5de3f074fd5a43cdd70d58b886b 100775Flowise Cloud - Information Disclosure - CVE:CVE-2025-58434LogBlockThis is a New Detection Cloudflare Managed Ruleset68fc5c086ccb4b40a35a63b19bce1ff4 100881WordPress:Plugin:Ditty - SSRF - CVE:CVE-2025-8085LogBlockThis is a New Detection Cloudflare Managed Ruleset9e1a56e6b3bc49b187bf6e35ddc329dd 100887Vite - Directory Traversal - CVE:CVE-2025-30208LogBlockThis is a New Detection

2025/9/29
articleCard.readMore

WAF - WAF Release - 2025-09-28 - Emergency

This week highlights multiple critical Cisco vulnerabilities (CVE-2025-20363, CVE-2025-20333, CVE-2025-20362). This flaw stems from improper input validation in HTTP(S) requests. An authenticated VPN user could send crafted requests to execute code as root, potentially compromising the device. Key Findings Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Multiple vulnerabilities that could allow attackers to exploit unsafe deserialization and input validation flaws. Successful exploitation may result in arbitrary code execution, privilege escalation, or command injection on affected systems. Impact Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Exploitation enables attackers to escalate privileges or achieve remote code execution via command injection. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleseta1bef4ada0b146d2862cad439ee0ab84 100788Cisco Secure Firewall Adaptive Security Appliance - Remote Code Execution - CVE:CVE-2025-20333, CVE:CVE-2025-20362, CVE:CVE-2025-20363N/ADisabledThis is a New Detection Cloudflare Managed Ruleset51de6ce6596a40eb8200452ad30f768e 100788ACisco Secure Firewall Adaptive Security Appliance - Remote Code Execution - CVE:CVE-2025-20333, CVE:CVE-2025-20362, CVE:CVE-2025-20363N/ADisabledThis is a New Detection

2025/9/28
articleCard.readMore

WAF - WAF Release - 2025-09-26

Managed Ruleset Updated This update introduces 11 new detections in the Cloudflare Managed Ruleset (all currently set to Disabled mode to preserve remediation logic and allow quick activation if needed). The rules cover a broad spectrum of threats - SQL injection techniques, command and code injection, information disclosure of common files, URL anomalies, and cross-site scripting. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset3ffd242b4ba242ca965022d3a67d8561 100859ASQLi - UNION - 3N/ADisabledThis is a New Detection Cloudflare Managed Ruleset91d9cf56355b4ab88481b2fd4de80468 100889Command Injection - Generic 9N/ADisabledThis is a New Detection Cloudflare Managed Rulesetc15ca8e8290f485287037665f2be3ddf 100890Information Disclosure - Common Files - 2N/ADisabledThis is a New Detection Cloudflare Managed Ruleset56669615f2984c2cac8c608980a252a8 100891Anomaly:URL - Relative PathsN/ADisabledThis is a New Detection Cloudflare Managed Rulesetc41789fb6370431d809567d17e7d3865 100894XSS - Inline FunctionN/ADisabledThis is a New Detection Cloudflare Managed Rulesetb995d0b930604fa6b8d9b2a13792565c 100895XSS - DOMN/ADisabledThis is a New Detection Cloudflare Managed Rulesetab8277e3f432400bbd9403dd42978e38 100896SQLi - MSSQL Length EnumerationN/ADisabledThis is a New Detection Cloudflare Managed Ruleset3ec33bc5ac77495a9f55020e3ab43f7e 100897Generic Rules - Code Injection - 3N/ADisabledThis is a New Detection Cloudflare Managed Ruleset4375dc90c7af4c55908f6b95c1686741 100898SQLi - EvasionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset945c5aa9f45141dd872d7ec920999be0 100899SQLi - Probing 2N/ADisabledThis is a New Detection Cloudflare Managed Ruleset2c20b5e8684043f48620ff77b4026c88 100900SQLi - ProbingN/ADisabledThis is a New Detection

2025/9/26
articleCard.readMore

WAF - WAF Release - 2025-09-24 - Emergency

This week highlights a critical vendor-specific vulnerability: a deserialization flaw in the License Servlet of Fortra’s GoAnywhere MFT. By forging a license response signature, an attacker can trigger deserialization of arbitrary objects, potentially leading to command injection. Key Findings GoAnywhere MFT (CVE-2025-10035): Deserialization vulnerability in the License Servlet that allows attackers with a forged license response signature to deserialize arbitrary objects, potentially resulting in command injection. Impact GoAnywhere MFT (CVE-2025-10035): Exploitation enables attackers to escalate privileges or achieve remote code execution via command injection. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset8fe242c7c0d64d689f4fc9a1e08b39f3 100787Fortra GoAnywhere - Auth Bypass - CVE:CVE-2025-10035N/ABlockThis is a New Detection

2025/9/24
articleCard.readMore

WAF - WAF Release - 2025-09-22

This week emphasizes two critical vendor-specific vulnerabilities: a full elevation-of-privilege in Microsoft Azure Networking (CVE-2025-54914) and a server-side template injection (SSTI) leading to remote code execution (RCE) in Skyvern (CVE-2025-49619). These are complemented by enhancements in generic detections (SQLi, SSRF) to improve baseline coverage. Key Findings Azure (CVE-2025-54914): Vulnerability in Azure Networking allowing elevation of privileges. Skyvern (CVE-2025-49619): Skyvern ≤ 0.1.85 has a server-side template injection (SSTI) vulnerability in its Prompt field (workflow blocks) via Jinja2. Authenticated users with low privileges can get remote code execution (blind). Generic SQLi / SSRF improvements: Expanded rule coverage to detect obfuscated SQL injection patterns and SSRF across host, local, and cloud contexts. Impact These vulnerabilities allow attackers to escalate privileges or execute code under conditions where previously they could not: Azure CVE-2025-54914 enables an attacker from the network with no credentials to gain high-level access within Azure Networking; could lead to full compromise of networking components. Skyvern CVE-2025-49619 allows authenticated users with minimal privilege to exploit SSTI for remote code execution, undermining isolation of workflow components. The improvements for SQLi and SSRF reduce risk from common injection and request-based attacks. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetc36a425ae0c94789a9bc34f06a135cbf 100146SSRF - Host - 2LogDisabledThis is a New Detection Cloudflare Managed Rulesetdfa84b0aed5a4b45b953a36a57035abf 100146BSSRF - Local - 2LogDisabledThis is a New Detection Cloudflare Managed Ruleset276073e60c7a4b4d91faba1fbbe18d50 100146CSSRF - Cloud - 2LogDisabledThis is a New Detection Cloudflare Managed Ruleset78c856218f2d40f4b5988c8c956c1961 100714Azure - Auth Bypass - CVE:CVE-2025-54914LogBlockThis is a New Detection Cloudflare Managed Ruleset9f1c8d4cbf3848dbb940771bc5ced231 100758Skyvern - Remote Code Execution - CVE:CVE-2025-49619LogBlockThis is a New Detection Cloudflare Managed Ruleset6be7e7829f3b43c688e1ac4284a619a1 100773Next.js - SSRFLogBlockThis is a New Detection Cloudflare Managed Ruleset0cc3f50216bf4b448210bcc3983ff2dd 100774Adobe Commerce - Remote Code Execution - CVE:CVE-2025-54236LogBlockThis is a New Detection Cloudflare Managed Ruleset53bfaeb311a049e3877fa15c0380a1a6 100800_BETASQLi - Obfuscated Boolean - BetaLogBlockThis rule has been merged into the original rule (ID: 7663ea44178441a0b3205c145563445f )

2025/9/22
articleCard.readMore

WAF - WAF Release - 2025-09-15

This week's update This week's focus highlights newly disclosed vulnerabilities in DevOps tooling, data visualization platforms, and enterprise CMS solutions. These issues include sensitive information disclosure and remote code execution, putting organizations at risk of credential leakage, unauthorized access, and full system compromise. Key Findings Argo CD (CVE-2025-55190): Exposure of sensitive information could allow attackers to access credential data stored in configurations, potentially leading to compromise of Kubernetes workloads and secrets. DataEase (CVE-2025-57773): Insufficient input validation enables JNDI injection and insecure deserialization, resulting in remote code execution (RCE). Successful exploitation grants attackers control over the application server. Sitecore (CVE-2025-53694): A sensitive information disclosure flaw allows unauthorized access to confidential information stored in Sitecore deployments, raising the risk of data breaches and privilege escalation. Impact These vulnerabilities expose organizations to serious risks, including credential theft, unauthorized access, and full system compromise. Argo CD's flaw may expose Kubernetes secrets, DataEase exploitation could give attackers remote execution capabilities, and Sitecore's disclosure issue increases the likelihood of sensitive data leakage and business impact. Administrators are strongly advised to apply vendor patches immediately, rotate exposed credentials, and review access controls to mitigate these risks. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset199cce9ab21e40bcb535f01b2ee2085f 100646Argo CD - Information Disclosure - CVE:CVE-2025-55190sLogDisabledThis is a New Detection Cloudflare Managed Rulesete513bb21b6a44f9cbfcd2462f5e20788 100874DataEase - JNDI injection - CVE:CVE-2025-57773LogDisabledThis is a New Detection Cloudflare Managed Rulesetbe097f5a71a04f27aa87b60d005a12fd 100880Sitecore - Information Disclosure - CVE:CVE-2025-53694LogBlockThis is a New Detection

2025/9/15
articleCard.readMore

WAF - WAF Release - 2025-09-08

This week's update This week’s focus highlights newly disclosed vulnerabilities in web frameworks, enterprise applications, and widely deployed CMS plugins. The vulnerabilities include SSRF, authentication bypass, arbitrary file upload, and remote code execution (RCE), exposing organizations to high-impact risks such as unauthorized access, system compromise, and potential data exposure. In addition, security rule enhancements have been deployed to cover general command injection and server-side injection attacks, further strengthening protections. Key Findings Next.js (CVE-2025-57822): Improper handling of redirects in custom middleware can lead to server-side request forgery (SSRF) when user-supplied headers are forwarded. Attackers could exploit this to access internal services or cloud metadata endpoints. The issue has been resolved in versions 14.2.32 and 15.4.7. Developers using custom middleware should upgrade and verify proper redirect handling in next() calls. ScriptCase (CVE-2025-47227, CVE-2025-47228): In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), two vulnerabilities allow attackers to reset admin accounts and execute system commands, potentially leading to full compromise of affected deployments. Sar2HTML (CVE-2025-34030): In Sar2HTML version 3.2.2 and earlier, insufficient input sanitization of the plot parameter allows remote, unauthenticated attackers to execute arbitrary system commands. Exploitation could compromise the underlying server and its data. Zhiyuan OA (CVE-2025-34040): An arbitrary file upload vulnerability exists in the Zhiyuan OA platform. Improper validation in the wpsAssistServlet interface allows unauthenticated attackers to upload crafted files via path traversal, which can be executed on the web server, leading to remote code execution. WordPress:Plugin:InfiniteWP Client (CVE-2020-8772): A vulnerability in the InfiniteWP Client plugin allows attackers to perform restricted actions and gain administrative control of connected WordPress sites. Impact These vulnerabilities could allow attackers to gain unauthorized access, execute malicious code, or take full control of affected systems. The Next.js SSRF flaw may expose internal services or cloud metadata endpoints to attackers. Exploitations of ScriptCase and Sar2HTML could result in remote code execution, administrative takeover, and full server compromise. In Zhiyuan OA, the arbitrary file upload vulnerability allows attackers to execute malicious code on the web server, potentially exposing sensitive data and applications. The authentication bypass in WordPress InfiniteWP Client enables attackers to gain administrative access, risking data exposure and unauthorized control of connected sites. Administrators are strongly advised to apply vendor patches immediately, remove unsupported software, and review authentication and access controls to mitigate these risks. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset7c5812a31fd94996b3299f7e963d7afc 100007DCommand Injection - Common Attack Commands ArgsLogBlockThis rule has been merged into the original rule "Command Injection - Common Attack Commands" (ID: 89557ce9b26e4d4dbf29e90c28345b9b ) for New WAF customers only. Cloudflare Managed Rulesetcd528243d6824f7ab56182988230a75b 100617Next.js - SSRF - CVE:CVE-2025-57822LogBlockThis is a New Detection Cloudflare Managed Ruleset503b337dac5c409d8f833a6ba22dabf1 100659_BETACommon Payloads for Server-Side Template Injection - BetaLogBlockThis rule is merged into the original rule "Common Payloads for Server-Side Template Injection" (ID: 21c7a963e1b749e7b1753238a28a42c4 ) Cloudflare Managed Ruleset6d24266148f24f5e9fa487f8b416b7ca 100824BCrushFTP - Remote Code Execution - CVE:CVE-2025-54309 - 3LogDisabledThis is a New Detection Cloudflare Managed Ruleset154b217c43d04f11a13aeff05db1fa6b 100848ScriptCase - Auth Bypass - CVE:CVE-2025-47227LogDisabledThis is a New Detection Cloudflare Managed Rulesetcad6f1c8c6d44ef59929e6532c62d330 100849ScriptCase - Command Injection - CVE:CVE-2025-47228LogDisabledThis is a New Detection Cloudflare Managed Rulesete7464139fd3e44938b56716bef971afd 100872WordPress:Plugin:InfiniteWP Client - Missing Authorization - CVE:CVE-2020-8772LogBlockThis is a New Detection Cloudflare Managed Ruleset0181ebb2cc234f2d863412e1bab19b0b 100873Sar2HTML - Command Injection - CVE:CVE-2025-34030LogBlockThis is a New Detection Cloudflare Managed Ruleset34d5c7c7b08b40eaad5b2bb3f24c0fbe 100875Zhiyuan OA - Remote Code Execution - CVE:CVE-2025-34040LogBlockThis is a New Detection

2025/9/8
articleCard.readMore

WAF - WAF Release - 2025-09-04 - Emergency

This week's update This week, new critical vulnerabilities were disclosed in Sitecore’s Sitecore Experience Manager (XM), Sitecore Experience Platform (XP), specifically versions 9.0 through 9.3, and 10.0 through 10.4. These flaws are caused by unsafe data deserialization and code reflection, leaving affected systems at high risk of exploitation. Key Findings CVE-2025-53690: Remote Code Execution through Insecure Deserialization CVE-2025-53691: Remote Code Execution through Insecure Deserialization CVE-2025-53693: HTML Cache Poisoning through Unsafe Reflections Impact Exploitation could allow attackers to execute arbitrary code remotely on the affected system and conduct cache poisoning attacks, potentially leading to further compromise. Applying the latest vendor-released solution without delay is strongly recommended. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset588edc74df1f4609b3c2f7ef0ee2c15e 100878Sitecore - Remote Code Execution - CVE:CVE-2025-53691N/ABlockThis is a new detection Cloudflare Managed Rulesetd1bd7563e6254db48ce703807c5b669c 100631Sitecore - Cache Poisoning - CVE:CVE-2025-53693N/ABlockThis is a new detection Cloudflare Managed Ruleseted94c7ce5301411a94a21a096c410240 100879Sitecore - Remote Code Execution - CVE:CVE-2025-53690N/ABlockThis is a new detection

2025/9/4
articleCard.readMore

WAF - WAF Release - 2025-09-01

This week's update This week, a critical vulnerability was disclosed in Fortinet FortiWeb (versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and versions 7.0.10 and below), linked to improper parameter handling that could allow unauthorized access. Key Findings Fortinet FortiWeb (CVE-2025-52970): A vulnerability may allow an unauthenticated remote attacker with access to non-public information to log in as any existing user on the device via a specially crafted request. Impact Exploitation could allow an unauthenticated attacker to impersonate any existing user on the device, potentially enabling them to modify system settings or exfiltrate sensitive information, posing a serious security risk. Upgrading to the latest vendor-released version is strongly recommended. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset636b145a49a84946b990d4fac49b7cf8 100586Fortinet FortiWeb - Auth Bypass - CVE:CVE-2025-52970LogDisabledThis is a New Detection Cloudflare Managed Rulesetb5ef1ace353841a0856b5e07790c9dde 100136CXSS - JavaScript - Headers and BodyN/AN/ARule metadata description refined. Detection unchanged.

2025/9/1
articleCard.readMore

WAF - WAF Release - 2025-08-29 - Emergency

This week's update This week, new critical vulnerabilities were disclosed in Next.js’s image optimization functionality, exposing a broad range of production environments to risks of data exposure and cache manipulation. Key Findings CVE-2025-55173: Arbitrary file download from the server via image optimization. CVE-2025-57752: Cache poisoning leading to unauthorized data disclosure. Impact Exploitation could expose sensitive files, leak user or backend data, and undermine application trust. Given Next.js’s wide use, immediate patching and cache hardening are strongly advised. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetea55f8aac44246cc9b827eea9ff4bfe3 100613Next.js - Dangerous File Download - CVE:CVE-2025-55173N/ABlockThis is a new detection Cloudflare Managed Rulesete2b2d77a79cc4a76bf7ba53d69b9ea7d 100616Next.js - Information Disclosure - CVE:CVE-2025-57752N/ABlockThis is a new detection

2025/8/29
articleCard.readMore

Secrets Store, AI Gateway, SSL/TLS - Manage and deploy your AI provider keys through Bring Your Own Key (BYOK) with AI Gateway, now powered by Cloudflare Secrets Store

Cloudflare Secrets Store is now integrated with AI Gateway, allowing you to store, manage, and deploy your AI provider keys in a secure and seamless configuration through Bring Your Own Key. Instead of passing your AI provider keys directly in every request header, you can centrally manage each key with Secrets Store and deploy in your gateway configuration using only a reference, rather than passing the value in plain text. You can now create a secret directly from your AI Gateway in the dashboard by navigating into your gateway -> Provider Keys -> Add. You can also create your secret with the newly available ai_gateway scope via wrangler, the Secrets Store dashboard, or the API. Then, pass the key in the request header using its Secrets Store reference: curl -X POST https://gateway.ai.cloudflare.com/v1/<ACCOUNT_ID>/my-gateway/anthropic/v1/messages \ --header 'cf-aig-authorization: ANTHROPIC_KEY_1 \ --header 'anthropic-version: 2023-06-01' \ --header 'Content-Type: application/json' \ --data '{"model": "claude-3-opus-20240229", "messages": [{"role": "user", "content": "What is Cloudflare?"}]}' Or, using Javascript: import Anthropic from '@anthropic-ai/sdk'; const anthropic = new Anthropic({ apiKey: "ANTHROPIC_KEY_1", baseURL: "https://gateway.ai.cloudflare.com/v1/<ACCOUNT_ID>/my-gateway/anthropic", }); const message = await anthropic.messages.create({ model: 'claude-3-opus-20240229', messages: [{role: "user", content: "What is Cloudflare?"}], max_tokens: 1024 }); For more information, check out the blog!

2025/8/25
articleCard.readMore

WAF - WAF Release - 2025-08-25

This week's update This week, critical vulnerabilities were disclosed that impact widely used open-source infrastructure, creating high-risk scenarios for code execution and operational disruption. Key Findings Apache HTTP Server – Code Execution (CVE-2024-38474): A flaw in Apache HTTP Server allows attackers to achieve remote code execution, enabling full compromise of affected servers. This vulnerability threatens the confidentiality, integrity, and availability of critical web services. Laravel (CVE-2024-55661): A security flaw in Laravel introduces the potential for remote code execution under specific conditions. Exploitation could provide attackers with unauthorized access to application logic and sensitive backend data. Impact These vulnerabilities pose severe risks to enterprise environments and open-source ecosystems. Remote code execution enables attackers to gain deep system access, steal data, disrupt services, and establish persistent footholds for broader intrusions. Given the widespread deployment of Apache HTTP Server and Laravel in production systems, timely patching and mitigation are critical. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetc550282a0f7343ca887bdab528050359 100822_BETAWordPress:Plugin:WPBookit - Remote Code Execution - CVE:CVE-2025-6058N/ADisabledThis was merged in to the original rule "WordPress:Plugin:WPBookit - Remote Code Execution - CVE:CVE-2025-6058" (ID: 9b5c5e13d2ca4253a89769f2194f7b2d ) Cloudflare Managed Ruleset456b1e8f827b4ed89fb4a54b3bdcdbad 100831Apache HTTP Server - Code Execution - CVE:CVE-2024-38474LogDisabledThis is a New Detection Cloudflare Managed Ruleset7dcc01e1dd074e42a26c8ca002eaac5b 100846Laravel - Remote Code Execution - CVE:CVE-2024-55661LogDisabledThis is a New Detection

2025/8/25
articleCard.readMore

WAF - WAF Release - 2025-08-22

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset0f3b6b9377334707b604be925fcca5c8 100850Command Injection - Generic 2N/ADisabledThis is a New Detection Cloudflare Managed Ruleset36b0532eb3c941449afed2d3744305c4 100851Remote Code Execution - Java DeserializationN/ADisabledThis is a New Detection Cloudflare Managed Ruleset5d3c0d0958d14512bd2a7d902b083459 100852Command Injection - Generic 3N/ADisabledThis is a New Detection Cloudflare Managed Ruleset6e2f7a696ea74c979e7d069cefb7e5b9 100853Remote Code Execution - Common Bash Bypass BetaN/ADisabledThis is a New Detection Cloudflare Managed Ruleset735666d7268545a5ae6cfd0b78513ad7 100854XSS - Generic JavaScriptN/ADisabledThis is a New Detection Cloudflare Managed Ruleset82780ba6f5df49dcb8d09af0e9a5daac 100855Command Injection - Generic 4N/ADisabledThis is a New Detection Cloudflare Managed Ruleset8e305924a7dc4f91a2de931a480f6093 100856PHP Object InjectionN/ADisabledThis is a New Detection Cloudflare Managed Ruleset1d34e0d05c10473ca824e66fd4ae0a33 100857Generic - Parameter FuzzingN/ADisabledThis is a New Detection Cloudflare Managed Rulesetb517e4b79d7a47fbb61f447b1121ee45 100858Code Injection - Generic 4N/ADisabledThis is a New Detection Cloudflare Managed Ruleset1f9accf629dc42cb84a7a14420de01e3 100859SQLi - UNION - 2N/ADisabledThis is a New Detection Cloudflare Managed Rulesete95939eacf7c4484b47101d5c0177e21 100860Command Injection - Generic 5N/ADisabledThis is a New Detection Cloudflare Managed Ruleset7b426e6f456043f4a21c162085f4d7b3 100861Command Execution - GenericN/ADisabledThis is a New Detection Cloudflare Managed Ruleset5fac82bd1c03463fb600cfa83fa8ee7f 100862GraphQL Injection - 2N/ADisabledThis is a New Detection Cloudflare Managed Rulesetab2cb1f2e2ad4da6a2685b1dc7a41d4b 100863Command Injection - Generic 6N/ADisabledThis is a New Detection Cloudflare Managed Ruleset549b4fe1564a448d848365d565e3c165 100864Code Injection - Generic 2N/ADisabledThis is a New Detection Cloudflare Managed Ruleset8ef3c3f91eef46919cc9cb6d161aafdc 100865PHP Object Injection - 2N/ADisabledThis is a New Detection Cloudflare Managed Ruleset57e8ba867e6240d2af8ea0611cc3c3f8 100866SQLi - LIKE 2N/ADisabledThis is a New Detection Cloudflare Managed Ruleseta967a167874b42b6898be46e48ac2221 100867SQLi - DROP - 2N/ADisabledThis is a New Detection Cloudflare Managed Rulesetcf79a868cc934bcc92b86ff01f4eec13 100868Code Injection - Generic 3N/ADisabledThis is a New Detection Cloudflare Managed Ruleset97a52405eaae47ae9627dbb22755f99e 100869Command Injection - Generic 7N/ADisabledThis is a New Detection Cloudflare Managed Ruleset5b3ce84c099040c6a25cee2d413592e2 100870Command Injection - Generic 8N/ADisabledThis is a New Detection Cloudflare Managed Ruleset5940a9ace2f04d078e35d435d2dd41b5 100871SQLi - LIKE 3N/ADisabledThis is a New Detection

2025/8/22
articleCard.readMore

WAF - WAF Release - 2025-08-18

This week's update This week, a series of critical vulnerabilities were discovered impacting core enterprise and open-source infrastructure. These flaws present a range of risks, providing attackers with distinct pathways for remote code execution, methods to breach internal network boundaries, and opportunities for critical data exposure and operational disruption. Key Findings SonicWall SMA (CVE-2025-32819, CVE-2025-32820, CVE-2025-32821): A remote authenticated attacker with SSLVPN user privileges can bypass path traversal protections. These vulnerabilities enable a attacker to bypass security checks to read, modify, or delete arbitrary files. An attacker with administrative privileges can escalate this further, using a command injection flaw to upload malicious files, which could ultimately force the appliance to reboot to its factory default settings. Ms-Swift Project (CVE-2025-50460): An unsafe deserialization vulnerability exists in the Ms-Swift project's handling of YAML configuration files. If an attacker can control the content of a configuration file passed to the application, they can embed a malicious payload that will execute arbitrary code and it can be executed during deserialization. Apache Druid (CVE-2023-25194): This vulnerability in Apache Druid allows an attacker to cause the server to connect to a malicious LDAP server. By sending a specially crafted LDAP response, the attacker can trigger an unrestricted deserialization of untrusted data. If specific "gadgets" (classes that can be abused) are present in the server's classpath, this can be escalated to achieve Remote Code Execution (RCE). Tenda AC8v4 (CVE-2025-51087, CVE-2025-51088): Vulnerabilities allow an authenticated attacker to trigger a stack-based buffer overflow. By sending malformed arguments in a request to specific endpoints, an attacker can crash the device or potentially achieve arbitrary code execution. Open WebUI (CVE-2024-7959): This vulnerability allows a user to change the OpenAI URL endpoint to an arbitrary internal network address without proper validation. This flaw can be exploited to access internal services or cloud metadata endpoints, potentially leading to remote command execution if the attacker can retrieve instance secrets or access sensitive internal APIs. BentoML (CVE-2025-54381): The vulnerability exists in the serialization/deserialization handlers for multipart form data and JSON requests, which automatically download files from user-provided URLs without proper validation of internal network addresses. This allows attackers to fetch from unintended internal services, including cloud metadata and localhost. Adobe Experience Manager Forms (CVE-2025-54254): An Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read in Adobe AEM (≤6.5.23). Impact These vulnerabilities affect core infrastructure, from network security appliances like SonicWall to data platforms such as Apache Druid and ML frameworks like BentoML. The code execution and deserialization flaws are particularly severe, offering deep system access that allows attackers to steal data, disrupt services, and establish a foothold for broader intrusions. Simultaneously, SSRF and XXE vulnerabilities undermine network boundaries, exposing sensitive internal data and creating pathways for lateral movement. Beyond data-centric threats, flaws in edge devices like the Tenda router introduce the tangible risk of operational disruption, highlighting a multi-faceted threat to the security and stability of key enterprise systems. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset326ebb56d46a4c269bb699d3418d9a3b 100574SonicWall SMA - Remote Code Execution - CVE:CVE-2025-32819, CVE:CVE-2025-32820, CVE:CVE-2025-32821LogDisabledThis is a New Detection Cloudflare Managed Ruleset69f4f161dec04aca8a73a3231e6fefdb 100576Ms-Swift Project - Remote Code Execution - CVE:CVE-2025-50460LogBlockThis is a New Detection Cloudflare Managed Rulesetd62935357ff846d9adefb58108ac45b3 100585Apache Druid - Remote Code Execution - CVE:CVE-2023-25194LogBlockThis is a New Detection Cloudflare Managed Ruleset4f6148a760804bf8ad8ebccfe4855472 100834Tenda AC8v4 - Auth Bypass - CVE:CVE-2025-51087, CVE:CVE-2025-51088LogBlockThis is a New Detection Cloudflare Managed Ruleset1474121b01ba40629f8246f8022ab542 100835Open WebUI - SSRF - CVE:CVE-2024-7959LogBlockThis is a New Detection Cloudflare Managed Ruleset96abffdb7e224ce69ddf89eb6339f132 100837SQLi - OOBLogBlockThis is a New Detection Cloudflare Managed Ruleseta0b20ec638d14800a1d6827cb83d2625 100841BentoML - SSRF - CVE:CVE-2025-54381LogDisabledThis is a New Detection Cloudflare Managed Ruleset40fd793035c947c5ac75add1739180d2 100841ABentoML - SSRF - CVE:CVE-2025-54381 - 2LogDisabledThis is a New Detection Cloudflare Managed Ruleset08dcb20b9acf47e3880a0b886ab910c2 100841BBentoML - SSRF - CVE:CVE-2025-54381 - 3LogDisabledThis is a New Detection Cloudflare Managed Ruleset309cfb7eeb42482e9ad896f12197ec51 100845Adobe Experience Manager Forms - XSS - CVE:CVE-2025-54254LogBlockThis is a New Detection Cloudflare Managed Ruleset6e039776c2d6418ab6e8f05196f34ce3 100845AAdobe Experience Manager Forms - XSS - CVE:CVE-2025-54254 - 2LogBlockThis is a New Detection

2025/8/18
articleCard.readMore

Security Center - Save time with bulk query creation in Brand Protection

Brand Protection detects domains that may be impersonating your brand — from common misspellings (cloudfalre.com) to malicious concatenations (cloudflare-okta.com). Saved search queries run continuously and alert you when suspicious domains appear. You can now create and save multiple queries in a single step, streamlining setup and management. Available now via the Brand Protection bulk query creation API.

2025/8/15
articleCard.readMore

WAF - WAF Release - 2025-08-11

This week's update focuses on a wide range of enterprise software, from network infrastructure and security platforms to content management systems and development frameworks. Flaws include unsafe deserialization, OS command injection, SSRF, authentication bypass, and arbitrary file upload — many of which allow unauthenticated remote code execution. Notable risks include Cisco Identity Services Engine and Ivanti EPMM, where successful exploitation could grant attackers full administrative control of core network infrastructure and popular web services such as WordPress, SharePoint, and Ingress-Nginx, where security bypasses and arbitrary file uploads could lead to complete site or server compromise. Key Findings Cisco Identity Services Engine (CVE-2025-20281): Insufficient input validation in a specific API of Cisco Identity Services Engine (ISE) and ISE-PIC allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device. Wazuh Server (CVE-2025-24016): An unsafe deserialization vulnerability in Wazuh Server (versions 4.4.0 to 4.9.0) allows for remote code execution and privilege escalation. By injecting unsanitized data, an attacker can trigger an exception to execute arbitrary code on the server. CrushFTP (CVE-2025-54309): A flaw in AS2 validation within CrushFTP allows remote attackers to gain administrative access via HTTPS on systems not using the DMZ proxy feature. This flaw can lead to unauthorized file access and potential system compromise. Kentico Xperience CMS (CVE-2025-2747, CVE-2025-2748): Vulnerabilities in Kentico Xperience CMS could enable cross-site scripting (XSS), allowing attackers to inject malicious scripts into web pages. Additionally, a flaw could allow unauthenticated attackers to bypass the Staging Sync Server's authentication, potentially leading to administrative control over the CMS. Node.js (CVE-2025-27210): An incomplete fix for a previous vulnerability (CVE-2025-23084) in Node.js affects the path.join() API method on Windows systems. The vulnerability can be triggered using reserved Windows device names such as CON, PRN, or AUX. WordPress:Plugin:Simple File List (CVE-2025-34085, CVE-2020-36847): This vulnerability in the Simple File List plugin for WordPress allows an unauthenticated remote attacker to upload arbitrary files to a vulnerable site. This can be exploited to achieve remote code execution on the server. GeoServer (CVE-2024-29198): A Server-Side Request Forgery (SSRF) vulnerability exists in GeoServer's Demo request endpoint, which can be exploited where the Proxy Base URL has not been configured. Ivanti EPMM (CVE-2025-6771): An OS command injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) before versions 12.5.0.2, 12.4.0.3, and 12.3.0.3 allows a remote, authenticated attacker with high privileges to execute arbitrary code. Microsoft SharePoint (CVE-2024-38018): This is a remote code execution vulnerability affecting Microsoft SharePoint Server. Manager-IO (CVE-2025-54122): A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability is present in the proxy handler of both Manager Desktop and Server editions up to version 25.7.18.2519. This allows an unauthenticated attacker to bypass network isolation and access internal services. Ingress-Nginx (CVE-2025-1974): A vulnerability in the Ingress-Nginx controller for Kubernetes allows an attacker to bypass access control rules. An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. PaperCut NG/MF (CVE-2023-2533): A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF. Under specific conditions, an attacker could exploit this to alter security settings or execute arbitrary code if they can deceive an administrator with an active login session into clicking a malicious link. SonicWall SMA (CVE-2025-40598): This vulnerability could allow an unauthenticated attacker to bypass security controls. This allows a remote, unauthenticated attacker to potentially execute arbitrary JavaScript code. WordPress (CVE-2025-5394): The "Alone – Charity Multipurpose Non-profit WordPress Theme" for WordPress is vulnerable to arbitrary file uploads. A missing capability check allows unauthenticated attackers to upload ZIP files containing webshells disguised as plugins, leading to remote code execution. Impact These vulnerabilities span a broad range of enterprise technologies, including network access control systems, monitoring platforms, web servers, CMS platforms, cloud services, and collaboration tools. Exploitation techniques range from remote code execution and command injection to authentication bypass, SQL injection, path traversal, and configuration weaknesses. A critical flaw in perimeter devices like Ivanti EPMM or SonicWall SMA could allow an unauthenticated attacker to gain remote code execution, completely breaching the primary network defense. A separate vulnerability within Cisco's Identity Services Engine could then be exploited to bypass network segmentation, granting an attacker widespread internal access. Insecure deserialization issues in platforms like Wazuh Server and CrushFTP could then be used to run malicious payloads or steal sensitive files from administrative consoles. Weaknesses in web delivery controllers like Ingress-Nginx or popular content management systems such as WordPress, SharePoint, and Kentico Xperience create vectors to bypass security controls, exfiltrate confidential data, or fully compromise servers. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetec6480c81253494b947d891e51bc8df1 100538GeoServer - SSRF - CVE:CVE-2024-29198LogBlockThis is a New Detection Cloudflare Managed Rulesetb8cb07170b5e4c2b989119cac9e0b290 100548Ivanti EPMM - Remote Code Execution - CVE:CVE-2025-6771LogBlockThis is a New Detection Cloudflare Managed Rulesetb3524bf5f5174b65bc892122ad93cda8 100550Microsoft SharePoint - Remote Code Execution - CVE:CVE-2024-38018LogBlockThis is a New Detection Cloudflare Managed Rulesete1369c5d629f4f10a14141381dca5738 100562Manager-IO - SSRF - CVE:CVE-2025-54122LogBlockThis is a New Detection Cloudflare Managed Ruleset136f67e2b6a84f15ab9a82a52e9137e1 100565 Cisco Identity Services Engine - Remote Code Execution - CVE:CVE-2025-20281 LogBlockThis is a New Detection Cloudflare Managed Ruleseted759f7e44184fa398ef71785d8102e1 100567Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1974LogDisabledThis is a New Detection Cloudflare Managed Ruleset71b8e7b646f94d79873213cd99105c43 100569PaperCut NG/MF - Remote Code Execution - CVE:CVE-2023-2533LogBlockThis is a New Detection Cloudflare Managed Ruleset2450bfbb0cfb4804b109d1c42c81dc88 100571SonicWall SMA - XSS - CVE:CVE-2025-40598LogBlockThis is a New Detection Cloudflare Managed Ruleset8ce1903b67e24205a93f5fe6926c96d4 100573WordPress - Dangerous File Upload - CVE:CVE-2025-5394LogBlockThis is a New Detection Cloudflare Managed Ruleset7fdb3c7bc7b74703aeef4ab240ec2fda 100806 Wazuh Server - Remote Code Execution - CVE:CVE-2025-24016 Log Block This is a New Detection Cloudflare Managed Rulesetfe088163f51f4928a3c8d91e2401fa3b 100824 CrushFTP - Remote Code Execution - CVE:CVE-2025-54309 Log Block This is a New Detection Cloudflare Managed Ruleset3638baed75924604987b86d874920ace 100824A CrushFTP - Remote Code Execution - CVE:CVE-2025-54309 - 2 Log Block This is a New Detection Cloudflare Managed Rulesetdda4f95b3a3e4ebb9e194aa5c7e63549 100825AMI MegaRAC - Auth Bypass - CVE:CVE-2024-54085LogBlockThis is a New Detection Cloudflare Managed Ruleset7dc07014cefa4ce9adf21da7b79037e6 100826Kentico Xperience CMS - Auth Bypass - CVE:CVE-2025-2747LogBlockThis is a New Detection Cloudflare Managed Ruleset7c7a0a37e79a4949ba840c9acaf261aa 100827Kentico Xperience CMS - XSS - CVE:CVE-2025-2748LogBlockThis is a New Detection Cloudflare Managed Ruleset54dd826f578c483196ce852b6f1c2d12 100828Node.js - Directory Traversal - CVE:CVE-2025-27210LogBlockThis is a New Detection Cloudflare Managed Ruleseta2867f7456c14213a94509a40341fccc 100829 WordPress:Plugin:Simple File List - Remote Code Execution - CVE:CVE-2025-34085 LogBlockThis is a New Detection Cloudflare Managed Ruleset4cdb0e792d1a428a897526624cefeeda 100829A WordPress:Plugin:Simple File List - Remote Code Execution - CVE:CVE-2025-34085 - 2 LogDisabledThis is a New Detection

2025/8/11
articleCard.readMore

WAF - WAF Release - 2025-08-07 - Emergency

This week’s highlight focuses on two critical vulnerabilities affecting key infrastructure and enterprise content management platforms. Both flaws present significant remote code execution risks that can be exploited with minimal or no user interaction. Key Findings Squid (≤6.3) — CVE-2025-54574: A heap buffer overflow occurs when processing Uniform Resource Names (URNs). This vulnerability may allow remote attackers to execute arbitrary code on the server. The issue has been resolved in version 6.4. Adobe AEM (≤6.5.23) — CVE-2025-54253: Due to a misconfiguration, attackers can achieve remote code execution without requiring any user interaction, posing a severe threat to affected deployments. Impact Both vulnerabilities expose critical attack vectors that can lead to full server compromise. The Squid heap buffer overflow allows remote code execution by crafting malicious URNs, which can lead to server takeover or denial of service. Given Squid’s widespread use as a caching proxy, this flaw could be exploited to disrupt network traffic or gain footholds inside secure environments. Adobe AEM’s remote code execution vulnerability enables attackers to run arbitrary code on the content management server without any user involvement. This puts sensitive content, application integrity, and the underlying infrastructure at extreme risk. Exploitation could lead to data theft, defacement, or persistent backdoor installation. These findings reinforce the urgency of updating to the patched versions — Squid 6.4 and Adobe AEM 6.5.24 or later — and reviewing configurations to prevent exploitation. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetf61ed7c1e7e24c3380289e41ef7e015b 100844Adobe Experience Manager Forms - Remote Code Execution - CVE:CVE-2025-54253N/ABlockThis is a New Detection Cloudflare Managed Rulesete76e65f5a3aa43f49e0684a6baec057a 100840Squid - Buffer Overflow - CVE:CVE-2025-54574N/ABlockThis is a New Detection

2025/8/7
articleCard.readMore

WAF - WAF Release - 2025-08-04

This week's highlight focuses on a series of significant vulnerabilities identified across widely adopted web platforms, from enterprise-grade CMS to essential backend administration tools. The findings reveal multiple vectors for attack, including critical flaws that allow for full server compromise and others that enable targeted attacks against users. Key Findings Sitecore (CVE-2025-34509, CVE-2025-34510, CVE-2025-34511): A hardcoded credential allows remote attackers to access administrative APIs. Once authenticated, they can exploit an additional vulnerability to upload arbitrary files, leading to remote code execution. Grafana (CVE-2025-4123): A cross-site scripting (XSS) vulnerability allows an attacker to redirect users to a malicious website, which can then execute arbitrary JavaScript in the victim's browser. LaRecipe (CVE-2025-53833): Through Server-Side Template Injection, attackers can execute arbitrary commands on the server, potentially access sensitive environment variables, and escalate access depending on server configuration. CentOS WebPanel (CVE-2025-48703): A command injection vulnerability could allow a remote attacker to execute arbitrary commands on the server. WordPress (CVE-2023-5561): This vulnerability allows unauthenticated attackers to determine the email addresses of users who have published public posts on an affected website. WordPress Plugin - WPBookit (CVE-2025-6058): A missing file type validation allows unauthenticated attackers to upload arbitrary files to the server, creating the potential for remote code execution. WordPress Theme - Motors (CVE-2025-4322): Due to improper identity validation, an unauthenticated attacker can change the passwords of arbitrary users, including administrators, to gain access to their accounts. Impact These vulnerabilities pose a multi-layered threat to widely adopted web technologies, ranging from enterprise-grade platforms like Sitecore to everyday solutions such as WordPress, and backend tools like CentOS WebPanel. The most severe risks originate in remote code execution (RCE) flaws found in Sitecore, CentOS WebPanel, LaRecipe, and the WPBookit plugin. These allow attackers to bypass security controls and gain deep access to the server, enabling them to steal sensitive data, deface websites, install persistent malware, or use the compromised server as a launchpad for further attacks. The privilege escalation vulnerability is the Motors theme, which allows for a complete administrative account takeover on WordPress sites. This effectively hands control of the application to an attacker, who can then manipulate content, exfiltrate user data, and alter site functionality without needing to breach the server itself. The Grafana cross-site scripting (XSS) flaw can be used to hijack authenticated user sessions or steal credentials, turning a trusted user's browser into an attack vector. Meanwhile, the information disclosure flaw in WordPress core provides attackers with valid user emails, fueling targeted phishing campaigns that aim to secure the same account access achievable through the other exploits. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetb8ab4644f8044f3485441ee052f30a13 100535ASitecore - Dangerous File Upload - CVE:CVE-2025-34510, CVE:CVE-2025-34511LogBlockThis is a New Detection Cloudflare Managed Ruleset06d1fe0bd6e44d868e6b910b5045a97f 100535Sitecore - Information Disclosure - CVE:CVE-2025-34509LogBlockThis is a New Detection Cloudflare Managed Rulesetf71ce87ea6e54eab999223df579cd3e0 100543Grafana - Directory Traversal - CVE:CVE-2025-4123LogBlockThis is a New Detection Cloudflare Managed Rulesetbba3d37891a440fb8bc95b970cbd9abc 100545WordPress - Information Disclosure - CVE:CVE-2023-5561LogBlockThis is a New Detection Cloudflare Managed Ruleset28108d25f1cf470c8e7648938f634977 100820CentOS WebPanel - Remote Code Execution - CVE:CVE-2025-48703LogBlockThis is a New Detection Cloudflare Managed Ruleset9d69c796a61444a3aca33dc282ae64c1 100821LaRecipe - SSTI - CVE:CVE-2025-53833LogBlockThis is a New Detection Cloudflare Managed Ruleset9b5c5e13d2ca4253a89769f2194f7b2d 100822WordPress:Plugin:WPBookit - Remote Code Execution - CVE:CVE-2025-6058LogBlockThis is a New Detection Cloudflare Managed Ruleset69d43d704b0641898141a4300bf1b661 100823WordPress:Theme:Motors - Privilege Escalation - CVE:CVE-2025-4322LogBlockThis is a New Detection

2025/8/4
articleCard.readMore

Workers, Secrets Store - Deploy to Cloudflare buttons now support Worker environment variables, secrets, and Secrets Store secrets

Any template which uses Worker environment variables, secrets, or Secrets Store secrets can now be deployed using a Deploy to Cloudflare button. Define environment variables and secrets store bindings in your Wrangler configuration file as normal: wrangler.jsonc { "name": "my-worker", "main": "./src/index.ts", "compatibility_date": "2025-10-20", "vars": { "API_HOST": "https://example.com", }, "secrets_store_secrets": [ { "binding": "API_KEY", "store_id": "demo", "secret_name": "api-key" } ] } wrangler.toml name = "my-worker" main = "./src/index.ts" compatibility_date = "2025-10-20" [vars] API_HOST = "https://example.com" [[secrets_store_secrets]] binding = "API_KEY" store_id = "demo" secret_name = "api-key" Add secrets to a .dev.vars.example or .env.example file: COOKIE_SIGNING_KEY=my-secret # comment And optionally, you can add a description for these bindings in your template's package.json to help users understand how to configure each value: { "name": "my-worker", "private": true, "cloudflare": { "bindings": { "API_KEY": { "description": "Select your company's API key for connecting to the example service." }, "COOKIE_SIGNING_KEY": { "description": "Generate a random string using `openssl rand -hex 32`." } } } } These secrets and environment variables will be presented to users in the dashboard as they deploy this template, allowing them to configure each value. Additional information about creating templates and Deploy to Cloudflare buttons can be found in our documentation.

2025/7/29
articleCard.readMore

WAF - WAF Release - 2025-07-28

This week’s update spotlights several vulnerabilities across Apache Tomcat, MongoDB, and Fortinet FortiWeb. Several flaws related with a memory leak in Apache Tomcat can lead to a denial-of-service attack. Additionally, a code injection flaw in MongoDB's Mongoose library allows attackers to bypass security controls to access restricted data. Key Findings Fortinet FortiWeb (CVE-2025-25257): An improper neutralization of special elements used in a SQL command vulnerability in Fortinet FortiWeb versions allows an unauthenticated attacker to execute unauthorized SQL code or commands. Apache Tomcat (CVE-2025-31650): A improper Input Validation vulnerability in Apache Tomcat that could create memory leak when incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request. MongoDB (CVE-2024-53900, CVE:CVE-2025-23061): Improper use of $where in match and a nested $where filter with a populate() match in Mongoose can lead to search injection. Impact These vulnerabilities target user-facing components, web application servers, and back-end databases. A SQL injection flaw in Fortinet FortiWeb can lead to data theft or system compromise. A separate issue in Apache Tomcat involves a memory leak from improper input validation, which could be exploited for a denial-of-service (DoS) attack. Finally, a vulnerability in MongoDB's Mongoose library allows attackers to bypass security filters and access unauthorized data through malicious search queries. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset6ab3bd3b58fb4325ac2d3cc73461ec9e 100804BerriAI - SSRF - CVE:CVE-2024-6587LogDisabledThis is a New Detection Cloudflare Managed Ruleset2e6c4d02f42a4c3ca90649d50cb13e1d 100812Fortinet FortiWeb - Remote Code Execution - CVE:CVE-2025-25257LogBlockThis is a New Detection Cloudflare Managed Rulesetfd360d8fd9994e6bab6fb06067fae7f7 100813Apache Tomcat - DoS - CVE:CVE-2025-31650LogDisabledThis is a New Detection Cloudflare Managed Rulesetf9e01e28c5d6499cac66364b4b6a5bb1 100815MongoDB - Remote Code Execution - CVE:CVE-2024-53900, CVE:CVE-2025-23061LogBlockThis is a New Detection Cloudflare Managed Ruleset700d4fcc7b1f481a80cbeee5688f8e79 100816MongoDB - Remote Code Execution - CVE:CVE-2024-53900, CVE:CVE-2025-23061LogBlockThis is a New Detection

2025/7/28
articleCard.readMore

WAF - WAF Release - 2025-07-21 - Emergency

This week's update highlights several high-impact vulnerabilities affecting Microsoft SharePoint Server. These flaws, involving unsafe deserialization, allow unauthenticated remote code execution over the network, posing a critical threat to enterprise environments relying on SharePoint for collaboration and document management. Key Findings Microsoft SharePoint Server (CVE-2025-53770): A critical vulnerability involving unsafe deserialization of untrusted data, enabling unauthenticated remote code execution over the network. This flaw allows attackers to execute arbitrary code on vulnerable SharePoint servers without user interaction. Microsoft SharePoint Server (CVE-2025-53771): A closely related deserialization issue that can be exploited by unauthenticated attackers, potentially leading to full system compromise. The vulnerability highlights continued risks around insecure serialization logic in enterprise collaboration platforms. Impact Together, these vulnerabilities significantly weaken the security posture of on-premise Microsoft SharePoint Server deployments. By enabling remote code execution without authentication, they open the door for attackers to gain persistent access, deploy malware, and move laterally across enterprise environments. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset34dac2b38b904163bc587cc32168f6f0 100817Microsoft SharePoint - Deserialization - CVE:CVE-2025-53770N/ABlockThis is a New Detection Cloudflare Managed Rulesetd21f327516a145bc9d1b05678de656c4 100818Microsoft SharePoint - Deserialization - CVE:CVE-2025-53771N/ABlockThis is a New Detection For more details, also refer to our blog.

2025/7/21
articleCard.readMore

WAF - WAF Release - 2025-07-21

This week's update spotlights several critical vulnerabilities across Citrix NetScaler Memory Disclosure, FTP servers and network application. Several flaws enable unauthenticated remote code execution or sensitive data exposure, posing a significant risk to enterprise security. Key Findings Wing FTP Server (CVE-2025-47812): A critical Remote Code Execution (RCE) vulnerability that enables unauthenticated attackers to execute arbitrary code with root/SYSTEM-level privileges by exploiting a Lua injection flaw. Infoblox NetMRI (CVE-2025-32813): A remote unauthenticated command injection flaw that allows an attacker to execute arbitrary commands, potentially leading to unauthorized access. Citrix Netscaler ADC (CVE-2025-5777, CVE-2023-4966): A sensitive information disclosure vulnerability, also known as "Citrix Bleed2", that allows the disclosure of memory and subsequent remote access session hijacking. Akamai CloudTest (CVE-2025-49493): An XML External Entity (XXE) injection that could lead to read local files on the system by manipulating XML input. Impact These vulnerabilities affect critical enterprise infrastructure, from file transfer services and network management appliances to application delivery controllers. The Wing FTP RCE and Infoblox command injection flaws offer direct paths to deep system compromise, while the Citrix "Bleed2" and Akamai XXE vulnerabilities undermine system integrity by enabling session hijacking and sensitive data theft. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset6ab3bd3b58fb4325ac2d3cc73461ec9e 100804BerriAI - SSRF - CVE:CVE-2024-6587LogLogThis is a New Detection Cloudflare Managed Ruleset0e17d8761f1a47d5a744a75b5199b58a 100805Wing FTP Server - Remote Code Execution - CVE:CVE-2025-47812LogBlockThis is a New Detection Cloudflare Managed Ruleset81ace5a851214a2f9c58a1e7919a91a4 100807Infoblox NetMRI - Command Injection - CVE:CVE-2025-32813LogBlockThis is a New Detection Cloudflare Managed Rulesetcd8fa74e8f6f476c9380ae217899130f 100808Citrix Netscaler ADC - Buffer Error - CVE:CVE-2025-5777LogDisabledThis is a New Detection Cloudflare Managed Rulesete012c7bece304a1daf80935ed1cf8e08 100809Citrix Netscaler ADC - Information Disclosure - CVE:CVE-2023-4966LogBlockThis is a New Detection Cloudflare Managed Ruleset5d348a573a834ffd968faffc6e70469f 100810Akamai CloudTest - XXE - CVE:CVE-2025-49493LogBlockThis is a New Detection

2025/7/21
articleCard.readMore

Security Center - New APIs for Brand Protection setup

The Brand Protection API is now available, allowing users to create new queries and delete existing ones, fetch matches and more! What you can do: create new string or logo query delete string or logo queries download matches for both logo and string queries read matches for both logo and string queries Ready to start? Check out the Brand Protection API in our documentation.

2025/7/18
articleCard.readMore

WAF - WAF Release - 2025-07-14

This week’s vulnerability analysis highlights emerging web application threats that exploit modern JavaScript behavior and SQL parsing ambiguities. Attackers continue to refine techniques such as attribute overloading and obfuscated logic manipulation to evade detection and compromise front-end and back-end systems. Key Findings XSS – Attribute Overloading: A novel cross-site scripting technique where attackers abuse custom or non-standard HTML attributes to smuggle payloads into the DOM. These payloads evade traditional sanitization logic, especially in frameworks that loosely validate attributes or trust unknown tokens. XSS – onToggle Event Abuse: Exploits the lesser-used onToggle event (triggered by elements like <details>) to execute arbitrary JavaScript when users interact with UI elements. This vector is often overlooked by static analyzers and can be embedded in seemingly benign components. Impact These vulnerabilities target both user-facing components and back-end databases, introducing potential vectors for credential theft, session hijacking, or full data exfiltration. The XSS variants bypass conventional filters through overlooked HTML behaviors, while the obfuscated SQLi enables attackers to stealthily probe back-end logic, making them especially difficult to detect and block. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleseta8918353372b4191b10684eb2aa3d845 100798XSS - Attribute OverloadingLogBlockThis is a New Detection Cloudflare Managed Ruleset31dd299ba375414dac9260c037548d06 100799XSS - OnToggleLogBlockThis is a New Detection

2025/7/14
articleCard.readMore

WAF - Increased IP List Limits for Enterprise Accounts

We have significantly increased the limits for IP Lists on Enterprise plans to provide greater flexibility and control: Total number of lists: Increased from 10 to 1,000. Total number of list items: Increased from 10,000 to 500,000. Limits for other list types and plans remain unchanged. For more details, refer to the lists availability.

2025/7/7
articleCard.readMore

WAF - WAF Release - 2025-07-07

This week’s roundup uncovers critical vulnerabilities affecting enterprise VoIP systems, webmail platforms, and a popular JavaScript framework. The risks range from authentication bypass to remote code execution (RCE) and buffer handling flaws, each offering attackers a path to elevate access or fully compromise systems. Key Findings Next.js - Auth Bypass: A newly detected authentication bypass flaw in the Next.js framework allows attackers to access protected routes or APIs without proper authorization, undermining application access controls. Fortinet FortiVoice (CVE-2025-32756): A buffer error vulnerability in FortiVoice systems that could lead to memory corruption and potential code execution or service disruption in enterprise telephony environments. Roundcube (CVE-2025-49113): A critical RCE flaw allowing unauthenticated attackers to execute arbitrary PHP code via crafted requests, leading to full compromise of mail servers and user inboxes. Impact These vulnerabilities affect core business infrastructure, from web interfaces to voice communications and email platforms. The Roundcube RCE and FortiVoice buffer flaw offer potential for deep system access, while the Next.js auth bypass undermines trust boundaries in modern web apps. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetb6558cac8c874bd6878734057eb35ee6 100795Next.js - Auth BypassLogDisabledThis is a New Detection Cloudflare Managed Ruleset58fcf6d9c05d4b7a8f41e0a3c329aeb0 100796Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756LogDisabledThis is a New Detection Cloudflare Managed Ruleset34ed0624bc864ea88bbea55bab314023 100797Roundcube - Remote Code Execution - CVE:CVE-2025-49113LogDisabledThis is a New Detection

2025/7/7
articleCard.readMore

WAF - WAF Release - 2025-06-16

This week’s roundup highlights multiple critical vulnerabilities across popular web frameworks, plugins, and enterprise platforms. The focus lies on remote code execution (RCE), server-side request forgery (SSRF), and insecure file upload vectors that enable full system compromise or data exfiltration. Key Findings Cisco IOS XE (CVE-2025-20188): Critical RCE vulnerability enabling unauthenticated attackers to execute arbitrary commands on network infrastructure devices, risking total router compromise. Axios (CVE-2024-39338): SSRF flaw impacting server-side request control, allowing attackers to manipulate internal service requests when misconfigured with unsanitized user input. vBulletin (CVE-2025-48827, CVE-2025-48828): Two high-impact RCE flaws enabling attackers to remotely execute PHP code, compromising forum installations and underlying web servers. Invision Community (CVE-2025-47916): A critical RCE vulnerability allowing authenticated attackers to run arbitrary code in community platforms, threatening data and lateral movement risk. CrushFTP (CVE-2025-32102, CVE-2025-32103): SSRF vulnerabilities in upload endpoint processing permit attackers to pivot internal network scans and abuse internal services. Roundcube (CVE-2025-49113): RCE via email processing enables attackers to execute code upon viewing a crafted email — particularly dangerous for webmail deployments. WooCommerce WordPress Plugin (CVE-2025-47577): Dangerous file upload vulnerability permits unauthenticated users to upload executable payloads, leading to full WordPress site takeover. Cross-Site Scripting (XSS) Detection Improvements: Enhanced detection patterns. Impact These vulnerabilities span core systems — from routers to e-commerce to email. RCE in Cisco IOS XE, Roundcube, and vBulletin poses full system compromise. SSRF in Axios and CrushFTP supports internal pivoting, while WooCommerce’s file upload bug opens doors to mass WordPress exploitation. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset233bcf0ce50f400989a7e44a35fefd53 100783Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188LogBlockThis is a New Detection Cloudflare Managed Ruleset9284e3b1586341acb4591bfd8332af5d 100784Axios - SSRF - CVE:CVE-2024-39338LogBlockThis is a New Detection Cloudflare Managed Ruleset2672b175a25548aa8e0107b12e1648d2 100785 vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828 LogBlockThis is a New Detection Cloudflare Managed Rulesetb77a19fb053744b49eacdab00edcf1ef 100786Invision Community - Remote Code Execution - CVE:CVE-2025-47916LogBlockThis is a New Detection Cloudflare Managed Rulesetaec2274743064523a9667248d6f5eb48 100791CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103LogBlockThis is a New Detection Cloudflare Managed Ruleset7b80e1f5575d4d99bb7d56ae30baa18a 100792Roundcube - Remote Code Execution - CVE:CVE-2025-49113LogBlockThis is a New Detection Cloudflare Managed Ruleset52d76f9394494b0382c7cb00229ba236 100793XSS - OntoggleLogDisabledThis is a New Detection Cloudflare Managed Rulesetd38e657bd43f4d809c28157dfa338296 100794 WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577 LogBlockThis is a New Detection

2025/6/16
articleCard.readMore

WAF - WAF Release - 2025-06-09

This week’s update spotlights four critical vulnerabilities across CMS platforms, VoIP systems, and enterprise applications. Several flaws enable remote code execution or privilege escalation, posing significant enterprise risks. Key Findings WordPress OttoKit Plugin (CVE-2025-27007): Privilege escalation flaw allows unauthenticated attackers to create or elevate user accounts, compromising WordPress administrative control. SAP NetWeaver (CVE-2025-42999): Remote Code Execution vulnerability enables attackers to execute arbitrary code on SAP NetWeaver systems, threatening core ERP and business operations. Fortinet FortiVoice (CVE-2025-32756): Buffer error vulnerability may lead to memory corruption and potential code execution, directly impacting enterprise VoIP infrastructure. Camaleon CMS (CVE-2024-46986): Remote Code Execution vulnerability allows attackers to gain full control over Camaleon CMS installations, exposing hosted content and underlying servers. Impact These vulnerabilities target widely deployed CMS, ERP, and VoIP systems. RCE flaws in SAP NetWeaver and Camaleon CMS allow full takeover of business-critical applications. Privilege escalation in OttoKit exposes WordPress environments to full administrative compromise. FortiVoice buffer handling issues risk destabilizing or fully compromising enterprise telephony systems. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset4afd50a3ef1948bba87c4e620debd86e 100769 WordPress OttoKit Plugin - Privilege Escalation - CVE:CVE-2025-27007 LogBlockThis is a New Detection Cloudflare Managed Ruleset24134c41c3e940daa973b4b95f57b448 100770SAP NetWeaver - Remote Code Execution - CVE:CVE-2025-42999LogBlockThis is a New Detection Cloudflare Managed Ruleset4f219ac0be3545a5be5f0bf34df8857a 100779Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756LogBlockThis is a New Detection Cloudflare Managed Rulesetbc8dfbe8cbac4c039725ec743b840107 100780Camaleon CMS - Remote Code Execution - CVE:CVE-2024-46986LogBlockThis is a New Detection

2025/6/9
articleCard.readMore

WAF - WAF Release - 2025-06-02

This week’s roundup highlights five high-risk vulnerabilities affecting SD-WAN, load balancers, and AI platforms. Several flaws enable unauthenticated remote code execution or authentication bypass. Key Findings Versa Concerto SD-WAN (CVE-2025-34026, CVE-2025-34027): Authentication bypass vulnerabilities allow attackers to gain unauthorized access to SD-WAN management interfaces, compromising network segmentation and control. Kemp LoadMaster (CVE-2024-7591): Remote Code Execution vulnerability enables attackers to execute arbitrary commands, potentially leading to full device compromise within enterprise load balancing environments. AnythingLLM (CVE-2024-0759): Server-Side Request Forgery (SSRF) flaw allows external attackers to force the LLM backend to make unauthorized internal network requests, potentially exposing sensitive internal resources. Anyscale Ray (CVE-2023-48022): Remote Code Execution vulnerability affecting distributed AI workloads, allowing attackers to execute arbitrary code on Ray cluster nodes. Server-Side Request Forgery (SSRF) - Generic & Obfuscated Payloads: Ongoing advancements in SSRF payload techniques observed, including obfuscation and expanded targeting of cloud metadata services and internal IP ranges. Impact These vulnerabilities expose critical infrastructure across networking, AI platforms, and SaaS integrations. Unauthenticated RCE and auth bypass flaws in Versa Concerto, Kemp LoadMaster, and Anyscale Ray allow full system compromise. AnythingLLM and SSRF payload variants expand attack surfaces into internal cloud resources, sensitive APIs, and metadata services, increasing risk of privilege escalation, data theft, and persistent access. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset752cfb5e6f9c46f0953c742139b52f02 100764Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34027LogBlockThis is a New Detection Cloudflare Managed Ruleseta01171de18034901b48a5549a34edb97 100765Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34026LogBlockThis is a New Detection Cloudflare Managed Ruleset840b35492a7543c18ffe50fc0d99b2db 100766Kemp LoadMaster - Remote Code Execution - CVE:CVE-2024-7591LogBlockThis is a New Detection Cloudflare Managed Ruleset121b7070de3a459dbe80d7ed95aa3a4f 100767AnythingLLM - SSRF - CVE:CVE-2024-0759LogBlockThis is a New Detection Cloudflare Managed Ruleset215417f989e2485a9c50eca0840a0966 100768Anyscale Ray - Remote Code Execution - CVE:CVE-2023-48022LogBlockThis is a New Detection Cloudflare Managed Ruleset3ed619a17d4141bda3a8c3869d16ee18 100781SSRF - Generic PayloadsN/ADisabledThis is a New Detection Cloudflare Managed Ruleset7ce73f6a70be49f8944737465c963d9d 100782SSRF - Obfuscated PayloadsN/ADisabledThis is a New Detection

2025/6/2
articleCard.readMore

WAF - Updated attack score model

We have deployed an updated attack score model focused on enhancing the detection of multiple false positives (FPs). As a result of this improvement, some changes in observed attack scores are expected.

2025/5/28
articleCard.readMore

SSL/TLS, Cloudflare for SaaS, Secrets Store - Increased limits for Cloudflare for SaaS and Secrets Store free and pay-as-you-go plans

With upgraded limits to all free and paid plans, you can now scale more easily with Cloudflare for SaaS and Secrets Store. Cloudflare for SaaS allows you to extend the benefits of Cloudflare to your customers via their own custom or vanity domains. Now, the limit for custom hostnames on a Cloudflare for SaaS pay-as-you-go plan has been raised from 5,000 custom hostnames to 50,000 custom hostnames. With custom origin server -- previously an enterprise-only feature -- you can route traffic from one or more custom hostnames somewhere other than your default proxy fallback. Custom origin server is now available to Cloudflare for SaaS customers on Free, Pro, and Business plans. You can enable custom origin server on a per-custom hostname basis via the API or the UI: Currently in beta with a Workers integration, Cloudflare Secrets Store allows you to store, manage, and deploy account level secrets from a secure, centralized platform your Cloudflare Workers. Now, you can create and deploy 100 secrets per account. Try it out in the dashboard, with Wrangler, or via the API today.

2025/5/27
articleCard.readMore

WAF - WAF Release - 2025-05-27

This week’s roundup covers nine vulnerabilities, including six critical RCEs and one dangerous file upload. Affected platforms span cloud services, CI/CD pipelines, CMSs, and enterprise backup systems. Several are now addressed by updated WAF managed rulesets. Key Findings Ingress-Nginx (CVE-2025-1098): Unauthenticated RCE via unsafe annotation handling. Impacts Kubernetes clusters. GitHub Actions (CVE-2025-30066): RCE through malicious workflow inputs. Targets CI/CD pipelines. Craft CMS (CVE-2025-32432): Template injection enables unauthenticated RCE. High risk to content-heavy sites. F5 BIG-IP (CVE-2025-31644): RCE via TMUI exploit, allowing full system compromise. AJ-Report (CVE-2024-15077): RCE through untrusted template execution. Affects reporting dashboards. NAKIVO Backup (CVE-2024-48248): RCE via insecure script injection. High-value target for ransomware. SAP NetWeaver (CVE-2025-31324): Dangerous file upload flaw enables remote shell deployment. Ivanti EPMM (CVE-2025-4428, 4427): Auth bypass allows full access to mobile device management. Vercel (CVE-2025-32421): Information leak via misconfigured APIs. Useful for attacker recon. Impact These vulnerabilities expose critical components across Kubernetes, CI/CD pipelines, and enterprise systems to severe threats including unauthenticated remote code execution, authentication bypass, and information leaks. High-impact flaws in Ingress-Nginx, Craft CMS, F5 BIG-IP, and NAKIVO Backup enable full system compromise, while SAP NetWeaver and AJ-Report allow remote shell deployment and template-based attacks. Ivanti EPMM’s auth bypass further risks unauthorized control over mobile device fleets. GitHub Actions and Vercel introduce supply chain and reconnaissance risks, allowing malicious workflow inputs and data exposure that aid in targeted exploitation. Organizations should prioritize immediate patching, enhance monitoring, and deploy updated WAF and IDS signatures to defend against likely active exploitation. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset6a61a14f44af4232a44e45aad127592a 100746Vercel - Information DisclosureLogDisabledThis is a New Detection Cloudflare Managed Rulesetbd30b3c43eb44335ab6013c195442495 100754AJ-Report - Remote Code Execution - CVE:CVE-2024-15077LogBlockThis is a New Detection Cloudflare Managed Ruleset6a13bd6e5fc94b1d9c97eb87dfee7ae4 100756NAKIVO Backup - Remote Code Execution - CVE:CVE-2024-48248LogBlockThis is a New Detection Cloudflare Managed Ruleseta4af6f2f15c9483fa9eab01d1c52f6d0 100757Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1098LogDisabledThis is a New Detection Cloudflare Managed Rulesetbd30b3c43eb44335ab6013c195442495 100759SAP NetWeaver - Dangerous File Upload - CVE:CVE-2025-31324LogBlockThis is a New Detection Cloudflare Managed Rulesetdab2df4f548349e3926fee845366ccc1 100760Craft CMS - Remote Code Execution - CVE:CVE-2025-32432LogBlockThis is a New Detection Cloudflare Managed Ruleset5eb23f172ed64ee08895e161eb40686b 100761GitHub Action - Remote Code Execution - CVE:CVE-2025-30066LogDisabledThis is a New Detection Cloudflare Managed Ruleset827037f2d5f941789efcba6260fc041c 100762Ivanti EPMM - Auth Bypass - CVE:CVE-2025-4428, CVE:CVE-2025-4427LogBlockThis is a New Detection Cloudflare Managed Rulesetddee6d1c4f364768b324609cebafdfe6 100763F5 Big IP - Remote Code Execution - CVE:CVE-2025-31644LogDisabledThis is a New Detection

2025/5/27
articleCard.readMore

WAF - WAF Release - 2025-05-19

This week's analysis covers four vulnerabilities, with three rated critical due to their Remote Code Execution (RCE) potential. One targets a high-traffic frontend platform, while another targets a popular content management system. These detections are now part of the Cloudflare Managed Ruleset in Block mode. Key Findings Commvault Command Center (CVE-2025-34028) exposes an unauthenticated RCE via insecure command injection paths in the web UI. This is critical due to its use in enterprise backup environments. BentoML (CVE-2025-27520) reveals an exploitable vector where serialized payloads in model deployment APIs can lead to arbitrary command execution. This targets modern AI/ML infrastructure. Craft CMS (CVE-2024-56145) allows RCE through template injection in unauthenticated endpoints. It poses a significant risk for content-heavy websites with plugin extensions. Apache HTTP Server (CVE-2024-38475) discloses sensitive server config data due to misconfigured mod_proxy behavior. While not RCE, this is useful for pre-attack recon. Impact These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort. Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset5c3559ad62994e5b932d7d0075129820 100745Apache HTTP Server - Information Disclosure - CVE:CVE-2024-38475LogBlockThis is a New Detection Cloudflare Managed Ruleset28a22a685bba478d99bc904526a517f1 100747 Commvault Command Center - Remote Code Execution - CVE:CVE-2025-34028 LogBlockThis is a New Detection Cloudflare Managed Ruleset2e6bb954d0634e368c49d7d1d7619ccb 100749BentoML - Remote Code Execution - CVE:CVE-2025-27520LogDisabledThis is a New Detection Cloudflare Managed Ruleset91250eebec894705b62305b2f15bfda4 100753Craft CMS - Remote Code Execution - CVE:CVE-2024-56145LogBlockThis is a New Detection

2025/5/19
articleCard.readMore

Security Center - URL Scanner now supports geo-specific scanning

Enterprise customers can now choose the geographic location from which a URL scan is performed — either via Security Center in the Cloudflare dashboard or via the URL Scanner API. This feature gives security teams greater insight into how a website behaves across different regions, helping uncover targeted, location-specific threats. What’s new: Location Picker: Select a location for the scan via Security Center → Investigate in the dashboard or through the API. Region-aware scanning: Understand how content changes by location — useful for detecting regionally tailored attacks. Default behavior: If no location is set, scans default to the user’s current geographic region. Learn more in the Security Center documentation.

2025/5/8
articleCard.readMore

WAF - Improved Payload Logging for WAF Managed Rules

We have upgraded WAF Payload Logging to enhance rule diagnostics and usability: Targeted logging: Logs now capture only the specific portions of requests that triggered WAF rules, rather than entire request segments. Visual highlighting: Matched content is visually highlighted in the UI for faster identification. Enhanced context: Logs now include surrounding context to make diagnostics more effective. Payload Logging is available to all Enterprise customers. If you have not used Payload Logging before, check how you can get started. Note: The structure of the encrypted_matched_data field in Logpush has changed from Map<Field, Value> to Map<Field, {Before: bytes, Content: Value, After: bytes}>. If you rely on this field in your Logpush jobs, you should review and update your processing logic accordingly.

2025/5/8
articleCard.readMore

WAF - WAF Release - 2025-05-05

This week's analysis covers five CVEs with varying impact levels. Four are rated critical, while one is rated high severity. Remote Code Execution vulnerabilities dominate this set. Key Findings GFI KerioControl (CVE-2024-52875) contains an unauthenticated Remote Code Execution (RCE) vulnerability that targets firewall appliances. This vulnerability can let attackers gain root level system access, making this CVE particularly attractive for threat actors. The SonicWall SMA vulnerabilities remain concerning due to their continued exploitation since 2021. These critical vulnerabilities in remote access solutions create dangerous entry points to networks. Impact Customers using the Managed Ruleset will receive rule coverage following this week's release. Below is a breakdown of the recommended prioritization based on current exploitation trends: GFI KerioControl (CVE-2024-52875) - Highest priority; unauthenticated RCE SonicWall SMA (Multiple vulnerabilities) - Critical for network appliances XWiki (CVE-2025-24893) - High priority for development environments Langflow (CVE-2025-3248) - Important for AI workflow platforms MinIO (CVE-2025-31489) - Important for object storage implementations RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset921660147baa48eaa9151077d0b7a392 100724GFI KerioControl - Remote Code Execution - CVE:CVE-2024-52875LogBlockThis is a New Detection Cloudflare Managed Ruleseta3900934273b4a488111f810717a9e42 100748XWiki - Remote Code Execution - CVE:CVE-2025-24893LogBlockThis is a New Detection Cloudflare Managed Ruleset616ad0e03892473191ca1df4e9cf745d 100750 SonicWall SMA - Dangerous File Upload - CVE:CVE-2021-20040, CVE:CVE-2021-20041, CVE:CVE-2021-20042 LogBlockThis is a New Detection Cloudflare Managed Ruleset1a11fbe84b49451193ee1ee6d29da333 100751Langflow - Remote Code Execution - CVE:CVE-2025-3248LogBlockThis is a New Detection Cloudflare Managed Ruleset5eb7ed601e6844828b9bdb05caa7b208 100752MinIO - Auth Bypass - CVE:CVE-2025-31489LogBlockThis is a New Detection

2025/5/5
articleCard.readMore

WAF - WAF Release - 2025-04-26 - Emergency

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset54ea354d7f2d43c69b238d1419fcc883 100755 React.js - Router and Remix Vulnerability - CVE:CVE-2025-43864, CVE:CVE-2025-43865 BlockBlockThis is a New Detection

2025/4/26
articleCard.readMore

WAF - WAF Release - 2025-04-22

Each of this week's rule releases covers a distinct CVE, with half of the rules targeting Remote Code Execution (RCE) attacks. Of the 6 CVEs covered, four were scored as critical, with the other two scored as high. When deciding which exploits to tackle, Cloudflare tunes into the attackers' areas of focus. Cloudflare's network intelligence provides a unique lens into attacker activity – for instance, through the volume of blocked requests related with CVE exploits after updating WAF Managed Rules with new detections. From this week's releases, one indicator that RCE is a "hot topic" attack type is the fact that the Oracle PeopleSoft RCE rule accounts for half of all of the new rule matches. This rule patches CVE-2023-22047, a high-severity vulnerability in the Oracle PeopleSoft suite that allows unauthenticated attackers to access PeopleSoft Enterprise PeopleTools data through remote code execution. This is particularly concerning because of the nature of the data managed by PeopleSoft – this can include payroll records or student profile information. This CVE, along with five others, are addressed with the latest detection update to WAF Managed Rules. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetfaa032d9825e4844a1188f3ba5be3327 100738GitLab - Auth Bypass - CVE:CVE-2023-7028LogDisabledThis is a New Detection Cloudflare Managed Ruleset2e96b6d5cdd94f7782b90e266c9531fa 100740Splunk Enterprise - Remote Code Execution - CVE:CVE-2025-20229LogDisabledThis is a New Detection Cloudflare Managed Ruleset5c9c095bc1e5411195edb893f40bbc2b 100741Oracle PeopleSoft - Remote Code Execution - CVE:CVE-2023-22047LogDisabledThis is a New Detection Cloudflare Managed Ruleset1d7a3932296c42fd827055335462167c 100742CrushFTP - Auth Bypass - CVE:CVE-2025-31161LogDisabledThis is a New Detection Cloudflare Managed Ruleset5eb7ed601e6844828b9bdb05caa7b208 100743Ivanti - Buffer Error - CVE:CVE-2025-22457LogDisabledThis is a New Detection Cloudflare Managed Ruleset410317f1e32b41859fa3214dd52139a8 100744 Oracle Access Manager - Remote Code Execution - CVE:CVE-2021-35587 LogDisabledThis is a New Detection

2025/4/22
articleCard.readMore

WAF - WAF Release - 2025-04-14

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset9209bb65527f4c088bca5ffad6b2d36c 100739ANext.js - Auth Bypass - CVE:CVE-2025-29927 - 2LogDisabledThis is a New Detection

2025/4/14
articleCard.readMore

Secrets Store, SSL/TLS - Cloudflare Secrets Store now available in Beta

Cloudflare Secrets Store is available today in Beta. You can now store, manage, and deploy account level secrets from a secure, centralized platform to your Workers. To spin up your Cloudflare Secrets Store, simply click the new Secrets Store tab in the dashboard or use this Wrangler command: wrangler secrets-store store create <name> --remote The following are supported in the Secrets Store beta: Secrets Store UI & API: create your store & create, duplicate, update, scope, and delete a secret Workers UI: bind a new or existing account level secret to a Worker and deploy in code Wrangler: create your store & create, duplicate, update, scope, and delete a secret Account Management UI & API: assign Secrets Store permissions roles & view audit logs for actions taken in Secrets Store core platform For instructions on how to get started, visit our developer documentation.

2025/4/9
articleCard.readMore

WAF - WAF Release - 2025-04-02

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset8b8074e73b7d4aba92fc68f3622f0483 100732Sitecore - Code Injection - CVE:CVE-2025-27218LogBlockThis is a New Detection Cloudflare Managed Ruleset8350947451a1401c934f5e660f101cca 100733 Angular-Base64-Upload - Remote Code Execution - CVE:CVE-2024-42640 LogBlockThis is a New Detection Cloudflare Managed Ruleseta9ec9cf625ff42769298671d1bbcd247 100734Apache Camel - Remote Code Execution - CVE:CVE-2025-29891LogDisabledThis is a New Detection Cloudflare Managed Ruleset3d6bf99039b54312a1a2165590aea1ca 100735 Progress Software WhatsUp Gold - Remote Code Execution - CVE:CVE-2024-4885 LogBlockThis is a New Detection Cloudflare Managed Rulesetd104e3246dc14ac7851b4049d9d8c5f2 100737Apache Tomcat - Remote Code Execution - CVE:CVE-2025-24813LogBlockThis is a New Detection Cloudflare Managed Ruleset21c7a963e1b749e7b1753238a28a42c4 100659Common Payloads for Server-side Template InjectionN/ADisabledN/A Cloudflare Managed Ruleset887843ffbe90436dadd1543adaa4b037 100659Common Payloads for Server-side Template Injection - Base64N/ADisabledN/A Cloudflare Managed Ruleset3565b80fc5b541b4832c0fc848f6a9cf 100642LDAP InjectionN/ADisabledN/A Cloudflare Managed Ruleset44d7bf9bf0fa4898b8579573e0713e9f 100642LDAP Injection Base64N/ADisabledN/A Cloudflare Managed Rulesete35c9a670b864a3ba0203ffb1bc977d1 100005 DotNetNuke - File Inclusion - CVE:CVE-2018-9126, CVE:CVE-2011-1892, CVE:CVE-2022-31474 N/ADisabledN/A Cloudflare Managed Rulesetcd8db44032694fdf8d6e22c1bb70a463 100527Apache Struts - CVE:CVE-2021-31805N/ABlockN/A Cloudflare Managed Ruleset0d838d9ab046443fa3f8b3e50c99546a 100702Command Injection - CVE:CVE-2022-24108N/ABlockN/A Cloudflare Managed Ruleset533fbad558ce4c5ebcf013f09a5581d0 100622C Ivanti - Command Injection - CVE:CVE-2023-46805, CVE:CVE-2024-21887, CVE:CVE-2024-22024 N/ABlockN/A Cloudflare Managed Ruleset04176552f62f4b75bf65981206d0b009 100536CGraphQL Command InjectionN/ADisabledN/A Cloudflare Managed Ruleset25883bf28575433c952b830c1651d0c8 100536GraphQL InjectionN/ADisabledN/A Cloudflare Managed Ruleset7b70da1bb8d243bd80cd7a73af00f61d 100536AGraphQL IntrospectionN/ADisabledN/A Cloudflare Managed Ruleset58c4853c250946359472b7eaa41e5b67 100536BGraphQL SSRFN/ADisabledN/A Cloudflare Managed Ruleset1c241ed5f5bd44b19e17476b433e5b3d 100559APrototype Pollution - Common PayloadsN/ADisabledN/A Cloudflare Managed Rulesetaf748489e1c2411d80d855954816b26f 100559APrototype Pollution - Common Payloads - Base64N/ADisabledN/A Cloudflare Managed Rulesetccc47ab7e34248c09546c284fcea5ed2 100734Apache Camel - Remote Code Execution - CVE:CVE-2025-29891N/ADisabledN/A

2025/4/2
articleCard.readMore

WAF - WAF Release - 2025-03-22 - Emergency

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset34583778093748cc83ff7b38f472013e 100739Next.js - Auth Bypass - CVE:CVE-2025-29927N/ADisabledThis is a New Detection

2025/3/22
articleCard.readMore

Workers, Pages, WAF - New Managed WAF rule for Next.js CVE-2025-29927.

Update: Mon Mar 24th, 11PM UTC: Next.js has made further changes to address a smaller vulnerability introduced in the patches made to its middleware handling. Users should upgrade to Next.js versions 15.2.4, 14.2.26, 13.5.10 or 12.3.6. If you are unable to immediately upgrade or are running an older version of Next.js, you can enable the WAF rule described in this changelog as a mitigation. Update: Mon Mar 24th, 8PM UTC: Next.js has now backported the patch for this vulnerability to cover Next.js v12 and v13. Users on those versions will need to patch to 13.5.9 and 12.3.5 (respectively) to mitigate the vulnerability. Update: Sat Mar 22nd, 4PM UTC: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests. We strongly recommend updating your version of Next.js (if eligible) to the patched versions, as your app will otherwise be vulnerable to an authentication bypass attack regardless of auth provider. Enable the Managed Rule (strongly recommended) This rule is opt-in only for sites on the Pro plan or above in the WAF managed ruleset. To enable the rule: Head to Security > WAF > Managed rules in the Cloudflare dashboard for the zone (website) you want to protect. Click the three dots next to Cloudflare Managed Ruleset and choose Edit Scroll down and choose Browse Rules Search for CVE-2025-29927 (ruleId: 34583778093748cc83ff7b38f472013e) Change the Status to Enabled and the Action to Block. You can optionally set the rule to Log, to validate potential impact before enabling it. Log will not block requests. Click Next Scroll down and choose Save This will enable the WAF rule and block requests with the x-middleware-subrequest header regardless of Next.js version. Create a WAF rule (manual) For users on the Free plan, or who want to define a more specific rule, you can create a Custom WAF rule to block requests with the x-middleware-subrequest header regardless of Next.js version. To create a custom rule: Head to Security > WAF > Custom rules in the Cloudflare dashboard for the zone (website) you want to protect. Give the rule a name - e.g. next-js-CVE-2025-29927 Set the matching parameters for the rule match any request where the x-middleware-subrequest header exists per the rule expression below. (len(http.request.headers["x-middleware-subrequest"]) > 0) Set the action to 'block'. If you want to observe the impact before blocking requests, set the action to 'log' (and edit the rule later). Deploy the rule. Next.js CVE-2025-29927 We've made a WAF (Web Application Firewall) rule available to all sites on Cloudflare to protect against the Next.js authentication bypass vulnerability (CVE-2025-29927) published on March 21st, 2025. Note: This rule is not enabled by default as it blocked requests across sites for specific authentication middleware. This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere. This rule has been made available (but not enabled by default) to all sites as part of our WAF Managed Ruleset and blocks requests that attempt to bypass authentication in Next.js applications. The vulnerability affects almost all Next.js versions, and has been fully patched in Next.js 14.2.26 and 15.2.4. Earlier, interim releases did not fully patch this vulnerability. Users on older versions of Next.js (11.1.4 to 13.5.6) did not originally have a patch available, but this the patch for this vulnerability and a subsequent additional patch have been backported to Next.js versions 12.3.6 and 13.5.10 as of Monday, March 24th. Users on Next.js v11 will need to deploy the stated workaround or enable the WAF rule. The managed WAF rule mitigates this by blocking external user requests with the x-middleware-subrequest header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation.

2025/3/22
articleCard.readMore

WAF - WAF Release - 2025-03-19 - Emergency

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset470b477e27244fddb479c4c7a2cafae7 100736Generic HTTP Request SmugglingN/ADisabledThis is a New Detection

2025/3/19
articleCard.readMore

API Shield - New API Posture Management for API Shield

Now, API Shield automatically labels your API inventory with API-specific risks so that you can track and manage risks to your APIs. View these risks in Endpoint Management by label: ...or in Security Center Insights: API Shield will scan for risks on your API inventory daily. Here are the new risks we're scanning for and automatically labelling: cf-risk-sensitive: applied if the customer is subscribed to the sensitive data detection ruleset and the WAF detects sensitive data returned on an endpoint in the last seven days. cf-risk-missing-auth: applied if the customer has configured a session ID and no successful requests to the endpoint contain the session ID. cf-risk-mixed-auth: applied if the customer has configured a session ID and some successful requests to the endpoint contain the session ID while some lack the session ID. cf-risk-missing-schema: added when a learned schema is available for an endpoint that has no active schema. cf-risk-error-anomaly: added when an endpoint experiences a recent increase in response errors over the last 24 hours. cf-risk-latency-anomaly: added when an endpoint experiences a recent increase in response latency over the last 24 hours. cf-risk-size-anomaly: added when an endpoint experiences a spike in response body size over the last 24 hours. In addition, API Shield has two new 'beta' scans for Broken Object Level Authorization (BOLA) attacks. If you're in the beta, you will see the following two labels when API Shield suspects an endpoint is suffering from a BOLA vulnerability: cf-risk-bola-enumeration: added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions. cf-risk-bola-pollution: added when an endpoint experiences successful responses where parameters are found in multiple places in the request. We are currently accepting more customers into our beta. Contact your account team if you are interested in BOLA attack detection for your API. Refer to the blog post for more information about Cloudflare's expanded posture management capabilities.

2025/3/18
articleCard.readMore

WAF - WAF Release - 2025-03-17

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset28b2a12993a04e62a98abcd9e59ec18a 100725 Fortinet FortiManager - Remote Code Execution - CVE:CVE-2023-42791, CVE:CVE-2024-23666 LogBlock Cloudflare Managed Rulesetf253d755910e4998bd90365d1dbf58df 100726Ivanti - Remote Code Execution - CVE:CVE-2024-8190LogBlock Cloudflare Managed Ruleset19ae0094a8d845a1bb1997af0ad61fa7 100727Cisco IOS XE - Remote Code Execution - CVE:CVE-2023-20198LogBlock Cloudflare Managed Ruleset83a677f082264693ad64a2827ee56b66 100728Sitecore - Remote Code Execution - CVE:CVE-2024-46938LogBlock Cloudflare Managed Ruleset166b7ce85ce443538f021228a6752a38 100729Microsoft SharePoint - Remote Code Execution - CVE:CVE-2023-33160LogBlock Cloudflare Managed Ruleset35fe23e7bd324d00816c82d098d47b69 100730 Pentaho - Template Injection - CVE:CVE-2022-43769, CVE:CVE-2022-43939 LogBlock Cloudflare Managed Ruleset2ce80fe815254f25b3c8f47569fe1e0d 100700Apache SSRF vulnerability CVE-2021-40438N/ABlock

2025/3/17
articleCard.readMore

WAF - WAF Release - 2025-03-11 - Emergency

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset0823d16dd8b94cc6b27a9ab173febb31 100731Apache Camel - Code Injection - CVE:CVE-2025-27636N/ABlockThis is a New Detection

2025/3/11
articleCard.readMore

WAF - WAF Release - 2025-03-10

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetd4f68c1c65c448e58fe4830eb2a51e3d 100722Ivanti - Information Disclosure - CVE:CVE-2025-0282LogBlockThis is a New Detection Cloudflare Managed Rulesetfda130e396224ffc9f0a9e72259073d5 100723Cisco IOS XE - Information Disclosure - CVE:CVE-2023-20198LogBlockThis is a New Detection

2025/3/10
articleCard.readMore

WAF - Updated leaked credentials database

Added new records to the leaked credentials database. The record sources are: Have I Been Pwned (HIBP) database, RockYou 2024 dataset, and another third-party database.

2025/3/7
articleCard.readMore

WAF - WAF Release - 2025-03-03

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset90356ececae3444b9accb3d393e63099 100721 Ivanti - Remote Code Execution - CVE:CVE-2024-13159, CVE:CVE-2024-13160, CVE:CVE-2024-13161 LogBlockThis is a New Detection Cloudflare Managed Ruleset6cf09ce2fa73482abb7f677ecac42ce2 100596 Citrix Content Collaboration ShareFile - Remote Code Execution - CVE:CVE-2023-24489 N/ABlock

2025/3/3
articleCard.readMore

WAF - WAF Release - 2025-02-24

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetf7b9d265b86f448989fb0f054916911e 100718ASonicWall SSLVPN 2 - Auth Bypass - CVE:CVE-2024-53704LogBlockThis is a New Detection Cloudflare Managed Ruleset77c13c611d2a4fa3a89c0fafc382fdec 100720Palo Alto Networks - Auth Bypass - CVE:CVE-2025-0108LogBlockThis is a New Detection

2025/2/24
articleCard.readMore

WAF - WAF Release - 2025-02-18

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetd1d45e4f59014f0fb22e0e6aa2ffa4b8 100715FortiOS - Auth Bypass - CVE:CVE-2024-55591LogBlockThis is a New Detection Cloudflare Managed Ruleset14b5cdeb4cde490ba37d83555a883e12 100716Ivanti - Auth Bypass - CVE:CVE-2021-44529LogBlockThis is a New Detection Cloudflare Managed Ruleset498fcd81a62a4b5ca943e2de958094d3 100717SimpleHelp - Auth Bypass - CVE:CVE-2024-57727LogBlockThis is a New Detection Cloudflare Managed Ruleset6e0d8afc36ba4ce9836f81e63b66df22 100718SonicWall SSLVPN - Auth Bypass - CVE:CVE-2024-53704LogBlockThis is a New Detection Cloudflare Managed Ruleset8eb4536dba1a4da58fbf81c79184699f 100719Yeti Platform - Auth Bypass - CVE:CVE-2024-46507LogBlockThis is a New Detection

2025/2/18
articleCard.readMore

WAF - WAF Release - 2025-02-11

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset742306889c2e4f6087de6646483b4c26 100708Aviatrix Network - Remote Code Execution - CVE:CVE-2024-50603LogBlockThis is a New Detection Cloudflare Managed Ruleset042228dffe0a4f1587da0e737e924ca3 100709Next.js - Remote Code Execution - CVE:CVE-2024-46982LogDisabledThis is a New Detection Cloudflare Managed Ruleset2a12278325464d6682afb53483a7d8ff 100710 Progress Software WhatsUp Gold - Directory Traversal - CVE:CVE-2024-12105 LogBlockThis is a New Detection Cloudflare Managed Ruleset82ce3424fbe84e9e99d77332baa8eb34 100711WordPress - Remote Code Execution - CVE:CVE-2024-56064LogBlockThis is a New Detection Cloudflare Managed Ruleset5afacd39dcfd42f89a6c43f787f5d34e 100712WordPress - Remote Code Execution - CVE:CVE-2024-9047LogBlockThis is a New Detection Cloudflare Managed Ruleset05842b06f0a4415880b58f7fbf72cf8a 100713FortiOS - Auth Bypass - CVE:CVE-2022-40684LogBlockThis is a New Detection

2025/2/11
articleCard.readMore

WAF - Updated leaked credentials database

Added new records to the leaked credentials database from a third-party database.

2025/2/4
articleCard.readMore

WAF - WAF Release - 2025-01-21

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Rulesetf4a310393c564d50bd585601b090ba9a 100303Command Injection - NslookupLogBlock This was released as aad6f9f85e034022b6a8dee4b8d152f4 Cloudflare Managed Rulesetfd5d5678ce594ea898aa9bf149e6b538 100534Web Shell ActivityLogBlock This was released as 39c8f6066c19466ea084e51e82fe4e7f

2025/1/21
articleCard.readMore

WAF - WAF Release - 2025-01-13

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Managed Ruleset6e0bfbe4b9c6454c8bd7bd24f49e5840 100704 Cleo Harmony - Auth Bypass - CVE:CVE-2024-55956, CVE:CVE-2024-55953 LogBlockNew Detection Cloudflare Managed Rulesetc993997b7d904a9e89448fe6a6d43bc2 100705Sentry - SSRFLogBlockNew Detection Cloudflare Managed Rulesetf40ce742be534ba19d610961ce6311bb 100706Apache Struts - Remote Code Execution - CVE:CVE-2024-53677LogBlockNew Detection Cloudflare Managed Ruleset67ac639a845c482d948b465b2233da1f 100707 FortiWLM - Remote Code Execution - CVE:CVE-2023-48782, CVE:CVE-2023-34993, CVE:CVE-2023-34990 LogBlockNew Detection Cloudflare Managed Ruleset870cca2b874d41738019d4c3e31d972a 100007C_BETACommand Injection - Common Attack CommandsDisabled

2025/1/13
articleCard.readMore

WAF - WAF Release - 2025-01-06

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments Cloudflare Specials3a321b10270b42549ac201009da08beb 100678Pandora FMS - Remote Code Execution - CVE:CVE-2024-11320LogBlockNew Detection Cloudflare Specials1fe510368b4a47dda90363c2ecdf3d02 100679 Palo Alto Networks - Remote Code Execution - CVE:CVE-2024-0012, CVE:CVE-2024-9474 LogBlockNew Detection Cloudflare Specialsb7ba636927b44ee288b9a697a40f2a35 100680Ivanti - Command Injection - CVE:CVE-2024-37397LogBlockNew Detection Cloudflare Specials6bd9b07c8acc4beeb17c8bee58ae3c89 100681Really Simple Security - Auth Bypass - CVE:CVE-2024-10924LogBlockNew Detection Cloudflare Specialsc86e79e15a4a4307870f6f77e37f2da6 100682Magento - XXE - CVE:CVE-2024-34102LogBlockNew Detection Cloudflare Specials945f41b48be9485f953116015054c752 100683CyberPanel - Remote Code Execution - CVE:CVE-2024-51567LogBlockNew Detection Cloudflare Specialsaec9a2e554a34a8fa547d069dfe93d7b 100684 Microsoft SharePoint - Remote Code Execution - CVE:CVE-2024-38094, CVE:CVE-2024-38024, CVE:CVE-2024-38023 LogBlockNew Detection Cloudflare Specialse614dd46c1ce404da1909e841454c856 100685CyberPanel - Remote Code Execution - CVE:CVE-2024-51568LogBlockNew Detection Cloudflare Specials685a4edf68f740b4a2c80d45e92362e5 100686Seeyon - Remote Code ExecutionLogBlockNew Detection Cloudflare Specials204f9d948a124829acb86555b9f1c9f8 100687 WordPress - Remote Code Execution - CVE:CVE-2024-10781, CVE:CVE-2024-10542 LogBlockNew Detection Cloudflare Specials19587024724e49329d5b482d0d7ca374 100688ProjectSend - Remote Code Execution - CVE:CVE-2024-11680LogBlockNew Detection Cloudflare Specialsfa49213e55484f6c824e0682a5260b70 100689 Palo Alto GlobalProtect - Remote Code Execution - CVE:CVE-2024-5921 LogBlockNew Detection Cloudflare Specials11b5fc23e85b41ca90316bddd007118b 100690Ivanti - Remote Code Execution - CVE:CVE-2024-37404LogBlockNew Detection Cloudflare Specialsaaeada52bcc840598515de6cc3e49f64 100691Array Networks - Remote Code Execution - CVE:CVE-2023-28461LogBlockNew Detection Cloudflare Specialse2c7ce1ecd6847219f8d9aedfcc6f5bb 100692CyberPanel - Remote Code Execution - CVE:CVE-2024-51378LogBlockNew Detection Cloudflare Specials84d481b1f49c4735afa2fb2bb615335e 100693Symfony Profiler - Auth Bypass - CVE:CVE-2024-50340LogBlockNew Detection Cloudflare Specials9f258f463f9f4b26ad07e3c209d08c8a 100694Citrix Virtual Apps - Remote Code Execution - CVE:CVE-2024-8069LogBlockNew Detection Cloudflare Specialsb490d6edcfec4028aef45cf08aafb2f5 100695MSMQ Service - Remote Code Execution - CVE:CVE-2023-21554LogBlockNew Detection Cloudflare Specialsc8f65bc9eeef4665820ecfe411b7a8c7 100696Nginxui - Remote Code Execution - CVE:CVE-2024-49368LogBlockNew Detection Cloudflare Specialsd5f2e133e34640198d06d7b345954c7e 100697 Apache ShardingSphere - Remote Code Execution - CVE:CVE-2022-22733 LogBlockNew Detection Cloudflare Specialsc34432e257074cffa9fa15f3f5311209 100698Mitel MiCollab - Auth Bypass - CVE:CVE-2024-41713LogBlockNew Detection Cloudflare Specials3bda15acd73a4b55a5f60cd2b3e5e46e 100699Apache Solr - Auth Bypass - CVE:CVE-2024-45216LogBlockNew Detection

2025/1/6
articleCard.readMore

WAF - Improved VPN Managed List

Customers can now effectively manage incoming traffic identified as originating from VPN IPs. Customers with compliance restrictions can now ensure compliance with local laws and regulations. Customers with CDN restrictions can use the improved VPN Managed List to prevent unauthorized access from users attempting to bypass geographical restrictions. With the new VPN Managed List enhancements, customers can improve their overall security posture to reduce exposure to unwanted or malicious traffic.

2024/12/18
articleCard.readMore

WAF - Change the order of list items in IP Lists (for API and Terraform users)

Due to changes in the API implementation, the order of list items in an IP list obtained via API or Terraform may change, which may cause Terraform to detect a change in Terraform state. To fix this issue, resync the Terraform state or upgrade the version of your Terraform Cloudflare provider to version 4.44.0 or later.

2024/12/10
articleCard.readMore

WAF - Security Events pagination

Fixed an issue with pagination in Security Events' sampled logs where some pages were missing data. Also removed the total count from the events log as these are only sampled logs.

2024/11/14
articleCard.readMore

WAF - New table in Security Analytics and Security Events

Switched to a new, more responsive table in Security Analytics and Security Events.

2024/11/4
articleCard.readMore

WAF - Fixed occasional attack score mismatches

Fixed an issue causing score mismatches between the global WAF attack score and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives.

2024/8/29
articleCard.readMore

WAF - Improved detection capabilities

WAF attack score now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers).

2024/5/23
articleCard.readMore