All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

WAF - WAF Release - 2025-06-16

1y ago

Source

CloudflareWAF - WAF Release - 2025-06-16cloudflare.com
Snippet from the RSS feed
This week’s roundup highlights multiple critical vulnerabilities across popular web frameworks, plugins, and enterprise platforms. The focus lies on remote code execution (RCE), server-side request forgery (SSRF), and insecure file upload vectors that enable full system compromise or data exfiltration. Key Findings Cisco IOS XE (CVE-2025-20188): Critical RCE vulnerability enabling unauthenticated attackers to execute arbitrary commands on network infrastructure devices, risking total router compromise. Axios (CVE-2024-39338): SSRF flaw impacting server-side request control, allowing attackers to manipulate internal service requests when misconfigured with unsanitized user input. vBulletin (CVE-2025-48827, CVE-2025-48828): Two high-impact RCE flaws enabling attackers to remotely execute PHP code, compromising forum installations and underlying web servers. Invision Community (CVE-2025-47916): A critical RCE vulnerability allowing authenticated attackers to run arbitrary code in community platforms, threatening data and lateral movement risk. CrushFTP (CVE-2025-32102, CVE-2025-32103): SSRF vulnerabilities in upload endpoint processing permit attackers to pivot internal network scans and abuse internal services. Roundcube (CVE-2025-49113): RCE via email processing enables attackers to execute code upon viewing a crafted email — particularly dangerous for webmail deployments. WooCommerce WordPress Plugin (CVE-2025-47577): Dangerous file upload vulnerability permits unauthenticated users to upload executable payloads, leading to full WordPress site takeover. Cross-Site Scripting (XSS) Detection Improvements: Enhanced detection patterns. Impact These vulnerabilities span core systems — from routers to e-commerce to email. RCE in Cisco IOS XE, Roundcube, and vBulletin poses full system compromise. SSRF in Axios and CrushFTP supports internal pivoting, while WooCommerce’s file upload bug opens doors to mass WordPress exploitation. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 233bcf0ce50f400989a7e44a35fefd53 100783 Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188 Log Block This is a New Detection Cloudflare Managed Ruleset 9284e3b1586341acb4591bfd8332af5d 100784 Axios - SSRF - CVE:CVE-2024-39338 Log Block This is a New Detection Cloudflare Managed Ruleset 2672b175a25548aa8e0107b12e1648d2 100785 vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828 Log Block This is a New Detection Cloudflare Managed Ruleset b77a19fb053744b49eacdab00edcf1ef 100786 Invision Community - Remote Code Execution - CVE:CVE-2025-47916 Log Block This is a New Detection Cloudflare Managed Ruleset aec2274743064523a9667248d6f5eb48 100791 CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103 Log Block This is a New Detection Cloudflare Managed Ruleset 7b80e1f5575d4d99bb7d56ae30baa18a 100792 Roundcube - Remote Code Execution - CVE:CVE-2025-49113 Log Block This is a New Detection Cloudflare Managed Ruleset 52d76f9394494b0382c7cb00229ba236 100793 XSS - Ontoggle Log Disabled This is a New Detection Cloudflare Managed Ruleset d38e657bd43f4d809c28157dfa338296 100794 WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577 Log Block This is a New Detection

You might also wanna read

Comments

Sign in to join the conversation.

No comments yet. Be the first.