This week's update
This week, critical vulnerabilities were disclosed that impact widely used open-source infrastructure, creating high-risk scenarios for code execution and operational disruption.
Key Findings
-
Apache HTTP Server – Code Execution (CVE-2024-38474): A flaw in Apache HTTP Server allows attackers to achieve remote code execution, enabling full compromise of affected servers. This vulnerability threatens the confidentiality, integrity, and availability of critical web services.
-
Laravel (CVE-2024-55661): A security flaw in Laravel introduces the potential for remote code execution under specific conditions. Exploitation could provide attackers with unauthorized access to application logic and sensitive backend data.
Impact
These vulnerabilities pose severe risks to enterprise environments and open-source ecosystems. Remote code execution enables attackers to gain deep system access, steal data, disrupt services, and establish persistent footholds for broader intrusions. Given the widespread deployment of Apache HTTP Server and Laravel in production systems, timely patching and mitigation are critical.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100822_BETA WordPress:Plugin:WPBookit - Remote Code Execution - CVE:CVE-2025-6058 N/A Disabled This was merged in to the original rule "WordPress:Plugin:WPBookit - Remote Code Execution - CVE:CVE-2025-6058" (ID: Cloudflare Managed Ruleset 100831 Apache HTTP Server - Code Execution - CVE:CVE-2024-38474 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100846 Laravel - Remote Code Execution - CVE:CVE-2024-55661 Log Disabled This is a New Detection -
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100850 Command Injection - Generic 2 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100851 Remote Code Execution - Java Deserialization N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100852 Command Injection - Generic 3 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100853 Remote Code Execution - Common Bash Bypass Beta N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100854 XSS - Generic JavaScript N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100855 Command Injection - Generic 4 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100856 PHP Object Injection N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100857 Generic - Parameter Fuzzing N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100858 Code Injection - Generic 4 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100859 SQLi - UNION - 2 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100860 Command Injection - Generic 5 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100861 Command Execution - Generic N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100862 GraphQL Injection - 2 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100863 Command Injection - Generic 6 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100864 Code Injection - Generic 2 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100865 PHP Object Injection - 2 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100866 SQLi - LIKE 2 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100867 SQLi - DROP - 2 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100868 Code Injection - Generic 3 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100869 Command Injection - Generic 7 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100870 Command Injection - Generic 8 N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100871 SQLi - LIKE 3 N/A Disabled This is a New Detection
This week's update
This week, a series of critical vulnerabilities were discovered impacting core enterprise and open-source infrastructure. These flaws present a range of risks, providing attackers with distinct pathways for remote code execution, methods to breach internal network boundaries, and opportunities for critical data exposure and operational disruption.
Key Findings
-
SonicWall SMA (CVE-2025-32819, CVE-2025-32820, CVE-2025-32821): A remote authenticated attacker with SSLVPN user privileges can bypass path traversal protections. These vulnerabilities enable a attacker to bypass security checks to read, modify, or delete arbitrary files. An attacker with administrative privileges can escalate this further, using a command injection flaw to upload malicious files, which could ultimately force the appliance to reboot to its factory default settings.
-
Ms-Swift Project (CVE-2025-50460): An unsafe deserialization vulnerability exists in the Ms-Swift project's handling of YAML configuration files. If an attacker can control the content of a configuration file passed to the application, they can embed a malicious payload that will execute arbitrary code and it can be executed during deserialization.
-
Apache Druid (CVE-2023-25194): This vulnerability in Apache Druid allows an attacker to cause the server to connect to a malicious LDAP server. By sending a specially crafted LDAP response, the attacker can trigger an unrestricted deserialization of untrusted data. If specific "gadgets" (classes that can be abused) are present in the server's classpath, this can be escalated to achieve Remote Code Execution (RCE).
-
Tenda AC8v4 (CVE-2025-51087, CVE-2025-51088): Vulnerabilities allow an authenticated attacker to trigger a stack-based buffer overflow. By sending malformed arguments in a request to specific endpoints, an attacker can crash the device or potentially achieve arbitrary code execution.
-
Open WebUI (CVE-2024-7959): This vulnerability allows a user to change the OpenAI URL endpoint to an arbitrary internal network address without proper validation. This flaw can be exploited to access internal services or cloud metadata endpoints, potentially leading to remote command execution if the attacker can retrieve instance secrets or access sensitive internal APIs.
-
BentoML (CVE-2025-54381): The vulnerability exists in the serialization/deserialization handlers for multipart form data and JSON requests, which automatically download files from user-provided URLs without proper validation of internal network addresses. This allows attackers to fetch from unintended internal services, including cloud metadata and localhost.
-
Adobe Experience Manager Forms (CVE-2025-54254): An Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read in Adobe AEM (≤6.5.23).
Impact
These vulnerabilities affect core infrastructure, from network security appliances like SonicWall to data platforms such as Apache Druid and ML frameworks like BentoML. The code execution and deserialization flaws are particularly severe, offering deep system access that allows attackers to steal data, disrupt services, and establish a foothold for broader intrusions. Simultaneously, SSRF and XXE vulnerabilities undermine network boundaries, exposing sensitive internal data and creating pathways for lateral movement. Beyond data-centric threats, flaws in edge devices like the Tenda router introduce the tangible risk of operational disruption, highlighting a multi-faceted threat to the security and stability of key enterprise systems.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100574 SonicWall SMA - Remote Code Execution - CVE:CVE-2025-32819, CVE:CVE-2025-32820, CVE:CVE-2025-32821 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100576 Ms-Swift Project - Remote Code Execution - CVE:CVE-2025-50460 Log Block This is a New Detection Cloudflare Managed Ruleset 100585 Apache Druid - Remote Code Execution - CVE:CVE-2023-25194 Log Block This is a New Detection Cloudflare Managed Ruleset 100834 Tenda AC8v4 - Auth Bypass - CVE:CVE-2025-51087, CVE:CVE-2025-51088 Log Block This is a New Detection Cloudflare Managed Ruleset 100835 Open WebUI - SSRF - CVE:CVE-2024-7959 Log Block This is a New Detection Cloudflare Managed Ruleset 100837 SQLi - OOB Log Block This is a New Detection Cloudflare Managed Ruleset 100841 BentoML - SSRF - CVE:CVE-2025-54381 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100841A BentoML - SSRF - CVE:CVE-2025-54381 - 2 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100841B BentoML - SSRF - CVE:CVE-2025-54381 - 3 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100845 Adobe Experience Manager Forms - XSS - CVE:CVE-2025-54254 Log Block This is a New Detection Cloudflare Managed Ruleset 100845A Adobe Experience Manager Forms - XSS - CVE:CVE-2025-54254 - 2 Log Block This is a New Detection -
This week's update focuses on a wide range of enterprise software, from network infrastructure and security platforms to content management systems and development frameworks. Flaws include unsafe deserialization, OS command injection, SSRF, authentication bypass, and arbitrary file upload — many of which allow unauthenticated remote code execution. Notable risks include Cisco Identity Services Engine and Ivanti EPMM, where successful exploitation could grant attackers full administrative control of core network infrastructure and popular web services such as WordPress, SharePoint, and Ingress-Nginx, where security bypasses and arbitrary file uploads could lead to complete site or server compromise.
Key Findings
-
Cisco Identity Services Engine (CVE-2025-20281): Insufficient input validation in a specific API of Cisco Identity Services Engine (ISE) and ISE-PIC allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device.
-
Wazuh Server (CVE-2025-24016): An unsafe deserialization vulnerability in Wazuh Server (versions 4.4.0 to 4.9.0) allows for remote code execution and privilege escalation. By injecting unsanitized data, an attacker can trigger an exception to execute arbitrary code on the server.
-
CrushFTP (CVE-2025-54309): A flaw in AS2 validation within CrushFTP allows remote attackers to gain administrative access via HTTPS on systems not using the DMZ proxy feature. This flaw can lead to unauthorized file access and potential system compromise.
-
Kentico Xperience CMS (CVE-2025-2747, CVE-2025-2748): Vulnerabilities in Kentico Xperience CMS could enable cross-site scripting (XSS), allowing attackers to inject malicious scripts into web pages. Additionally, a flaw could allow unauthenticated attackers to bypass the Staging Sync Server's authentication, potentially leading to administrative control over the CMS.
-
Node.js (CVE-2025-27210): An incomplete fix for a previous vulnerability (CVE-2025-23084) in Node.js affects the
path.join()API method on Windows systems. The vulnerability can be triggered using reserved Windows device names such asCON,PRN, orAUX. -
WordPress:Plugin:Simple File List (CVE-2025-34085, CVE-2020-36847): This vulnerability in the Simple File List plugin for WordPress allows an unauthenticated remote attacker to upload arbitrary files to a vulnerable site. This can be exploited to achieve remote code execution on the server.
(Note: CVE-2025-34085 has been rejected as a duplicate.) -
GeoServer (CVE-2024-29198): A Server-Side Request Forgery (SSRF) vulnerability exists in GeoServer's Demo request endpoint, which can be exploited where the Proxy Base URL has not been configured.
-
Ivanti EPMM (CVE-2025-6771): An OS command injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) before versions 12.5.0.2, 12.4.0.3, and 12.3.0.3 allows a remote, authenticated attacker with high privileges to execute arbitrary code.
-
Microsoft SharePoint (CVE-2024-38018): This is a remote code execution vulnerability affecting Microsoft SharePoint Server.
-
Manager-IO (CVE-2025-54122): A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability is present in the proxy handler of both Manager Desktop and Server editions up to version 25.7.18.2519. This allows an unauthenticated attacker to bypass network isolation and access internal services.
-
Ingress-Nginx (CVE-2025-1974): A vulnerability in the Ingress-Nginx controller for Kubernetes allows an attacker to bypass access control rules. An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller.
-
PaperCut NG/MF (CVE-2023-2533): A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF. Under specific conditions, an attacker could exploit this to alter security settings or execute arbitrary code if they can deceive an administrator with an active login session into clicking a malicious link.
-
SonicWall SMA (CVE-2025-40598): This vulnerability could allow an unauthenticated attacker to bypass security controls. This allows a remote, unauthenticated attacker to potentially execute arbitrary JavaScript code.
-
WordPress (CVE-2025-5394): The "Alone – Charity Multipurpose Non-profit WordPress Theme" for WordPress is vulnerable to arbitrary file uploads. A missing capability check allows unauthenticated attackers to upload ZIP files containing webshells disguised as plugins, leading to remote code execution.
Impact
These vulnerabilities span a broad range of enterprise technologies, including network access control systems, monitoring platforms, web servers, CMS platforms, cloud services, and collaboration tools. Exploitation techniques range from remote code execution and command injection to authentication bypass, SQL injection, path traversal, and configuration weaknesses.
A critical flaw in perimeter devices like Ivanti EPMM or SonicWall SMA could allow an unauthenticated attacker to gain remote code execution, completely breaching the primary network defense. A separate vulnerability within Cisco's Identity Services Engine could then be exploited to bypass network segmentation, granting an attacker widespread internal access. Insecure deserialization issues in platforms like Wazuh Server and CrushFTP could then be used to run malicious payloads or steal sensitive files from administrative consoles. Weaknesses in web delivery controllers like Ingress-Nginx or popular content management systems such as WordPress, SharePoint, and Kentico Xperience create vectors to bypass security controls, exfiltrate confidential data, or fully compromise servers.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100538 GeoServer - SSRF - CVE:CVE-2024-29198 Log Block This is a New Detection Cloudflare Managed Ruleset 100548 Ivanti EPMM - Remote Code Execution - CVE:CVE-2025-6771 Log Block This is a New Detection Cloudflare Managed Ruleset 100550 Microsoft SharePoint - Remote Code Execution - CVE:CVE-2024-38018 Log Block This is a New Detection Cloudflare Managed Ruleset 100562 Manager-IO - SSRF - CVE:CVE-2025-54122 Log Block This is a New Detection Cloudflare Managed Ruleset 100565 Cisco Identity Services Engine - Remote Code Execution - CVE:CVE-2025-20281
Log Block This is a New Detection Cloudflare Managed Ruleset 100567 Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1974 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100569 PaperCut NG/MF - Remote Code Execution - CVE:CVE-2023-2533 Log Block This is a New Detection Cloudflare Managed Ruleset 100571 SonicWall SMA - XSS - CVE:CVE-2025-40598 Log Block This is a New Detection Cloudflare Managed Ruleset 100573 WordPress - Dangerous File Upload - CVE:CVE-2025-5394 Log Block This is a New Detection Cloudflare Managed Ruleset 100806 Wazuh Server - Remote Code Execution - CVE:CVE-2025-24016 Log Block This is a New Detection Cloudflare Managed Ruleset 100824 CrushFTP - Remote Code Execution - CVE:CVE-2025-54309 Log Block This is a New Detection Cloudflare Managed Ruleset 100824A CrushFTP - Remote Code Execution - CVE:CVE-2025-54309 - 2 Log Block This is a New Detection Cloudflare Managed Ruleset 100825 AMI MegaRAC - Auth Bypass - CVE:CVE-2024-54085 Log Block This is a New Detection Cloudflare Managed Ruleset 100826 Kentico Xperience CMS - Auth Bypass - CVE:CVE-2025-2747 Log Block This is a New Detection Cloudflare Managed Ruleset 100827 Kentico Xperience CMS - XSS - CVE:CVE-2025-2748 Log Block This is a New Detection Cloudflare Managed Ruleset 100828 Node.js - Directory Traversal - CVE:CVE-2025-27210 Log Block This is a New Detection Cloudflare Managed Ruleset 100829 WordPress:Plugin:Simple File List - Remote Code Execution - CVE:CVE-2025-34085
Log Block This is a New Detection Cloudflare Managed Ruleset 100829A WordPress:Plugin:Simple File List - Remote Code Execution - CVE:CVE-2025-34085 - 2
Log Disabled This is a New Detection -
This week’s highlight focuses on two critical vulnerabilities affecting key infrastructure and enterprise content management platforms. Both flaws present significant remote code execution risks that can be exploited with minimal or no user interaction.
Key Findings
-
Squid (≤6.3) — CVE-2025-54574: A heap buffer overflow occurs when processing Uniform Resource Names (URNs). This vulnerability may allow remote attackers to execute arbitrary code on the server. The issue has been resolved in version 6.4.
-
Adobe AEM (≤6.5.23) — CVE-2025-54253: Due to a misconfiguration, attackers can achieve remote code execution without requiring any user interaction, posing a severe threat to affected deployments.
Impact
Both vulnerabilities expose critical attack vectors that can lead to full server compromise. The Squid heap buffer overflow allows remote code execution by crafting malicious URNs, which can lead to server takeover or denial of service. Given Squid’s widespread use as a caching proxy, this flaw could be exploited to disrupt network traffic or gain footholds inside secure environments.
Adobe AEM’s remote code execution vulnerability enables attackers to run arbitrary code on the content management server without any user involvement. This puts sensitive content, application integrity, and the underlying infrastructure at extreme risk. Exploitation could lead to data theft, defacement, or persistent backdoor installation.
These findings reinforce the urgency of updating to the patched versions — Squid 6.4 and Adobe AEM 6.5.24 or later — and reviewing configurations to prevent exploitation.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100844 Adobe Experience Manager Forms - Remote Code Execution - CVE:CVE-2025-54253 N/A Block This is a New Detection Cloudflare Managed Ruleset 100840 Squid - Buffer Overflow - CVE:CVE-2025-54574 N/A Block This is a New Detection -
This week's highlight focuses on a series of significant vulnerabilities identified across widely adopted web platforms, from enterprise-grade CMS to essential backend administration tools. The findings reveal multiple vectors for attack, including critical flaws that allow for full server compromise and others that enable targeted attacks against users.
Key Findings
-
Sitecore (CVE-2025-34509, CVE-2025-34510, CVE-2025-34511): A hardcoded credential allows remote attackers to access administrative APIs. Once authenticated, they can exploit an additional vulnerability to upload arbitrary files, leading to remote code execution.
-
Grafana (CVE-2025-4123): A cross-site scripting (XSS) vulnerability allows an attacker to redirect users to a malicious website, which can then execute arbitrary JavaScript in the victim's browser.
-
LaRecipe (CVE-2025-53833): Through Server-Side Template Injection, attackers can execute arbitrary commands on the server, potentially access sensitive environment variables, and escalate access depending on server configuration.
-
CentOS WebPanel (CVE-2025-48703): A command injection vulnerability could allow a remote attacker to execute arbitrary commands on the server.
-
WordPress (CVE-2023-5561): This vulnerability allows unauthenticated attackers to determine the email addresses of users who have published public posts on an affected website.
-
WordPress Plugin - WPBookit (CVE-2025-6058): A missing file type validation allows unauthenticated attackers to upload arbitrary files to the server, creating the potential for remote code execution.
-
WordPress Theme - Motors (CVE-2025-4322): Due to improper identity validation, an unauthenticated attacker can change the passwords of arbitrary users, including administrators, to gain access to their accounts.
Impact
These vulnerabilities pose a multi-layered threat to widely adopted web technologies, ranging from enterprise-grade platforms like Sitecore to everyday solutions such as WordPress, and backend tools like CentOS WebPanel. The most severe risks originate in remote code execution (RCE) flaws found in Sitecore, CentOS WebPanel, LaRecipe, and the WPBookit plugin. These allow attackers to bypass security controls and gain deep access to the server, enabling them to steal sensitive data, deface websites, install persistent malware, or use the compromised server as a launchpad for further attacks.
The privilege escalation vulnerability is the Motors theme, which allows for a complete administrative account takeover on WordPress sites. This effectively hands control of the application to an attacker, who can then manipulate content, exfiltrate user data, and alter site functionality without needing to breach the server itself.
The Grafana cross-site scripting (XSS) flaw can be used to hijack authenticated user sessions or steal credentials, turning a trusted user's browser into an attack vector.
Meanwhile, the information disclosure flaw in WordPress core provides attackers with valid user emails, fueling targeted phishing campaigns that aim to secure the same account access achievable through the other exploits.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100535A Sitecore - Dangerous File Upload - CVE:CVE-2025-34510, CVE:CVE-2025-34511 Log Block This is a New Detection Cloudflare Managed Ruleset 100535 Sitecore - Information Disclosure - CVE:CVE-2025-34509 Log Block This is a New Detection Cloudflare Managed Ruleset 100543 Grafana - Directory Traversal - CVE:CVE-2025-4123 Log Block This is a New Detection Cloudflare Managed Ruleset 100545 WordPress - Information Disclosure - CVE:CVE-2023-5561 Log Block This is a New Detection Cloudflare Managed Ruleset 100820 CentOS WebPanel - Remote Code Execution - CVE:CVE-2025-48703 Log Block This is a New Detection Cloudflare Managed Ruleset 100821 LaRecipe - SSTI - CVE:CVE-2025-53833 Log Block This is a New Detection Cloudflare Managed Ruleset 100822 WordPress:Plugin:WPBookit - Remote Code Execution - CVE:CVE-2025-6058 Log Block This is a New Detection Cloudflare Managed Ruleset 100823 WordPress:Theme:Motors - Privilege Escalation - CVE:CVE-2025-4322 Log Block This is a New Detection -
This week’s update spotlights several vulnerabilities across Apache Tomcat, MongoDB, and Fortinet FortiWeb. Several flaws related with a memory leak in Apache Tomcat can lead to a denial-of-service attack. Additionally, a code injection flaw in MongoDB's Mongoose library allows attackers to bypass security controls to access restricted data.
Key Findings
-
Fortinet FortiWeb (CVE-2025-25257): An improper neutralization of special elements used in a SQL command vulnerability in Fortinet FortiWeb versions allows an unauthenticated attacker to execute unauthorized SQL code or commands.
-
Apache Tomcat (CVE-2025-31650): A improper Input Validation vulnerability in Apache Tomcat that could create memory leak when incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request.
-
MongoDB (CVE-2024-53900, CVE:CVE-2025-23061): Improper use of
$wherein match and a nested$wherefilter with apopulate()match in Mongoose can lead to search injection.
Impact
These vulnerabilities target user-facing components, web application servers, and back-end databases. A SQL injection flaw in Fortinet FortiWeb can lead to data theft or system compromise. A separate issue in Apache Tomcat involves a memory leak from improper input validation, which could be exploited for a denial-of-service (DoS) attack. Finally, a vulnerability in MongoDB's Mongoose library allows attackers to bypass security filters and access unauthorized data through malicious search queries.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100804 BerriAI - SSRF - CVE:CVE-2024-6587 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100812 Fortinet FortiWeb - Remote Code Execution - CVE:CVE-2025-25257 Log Block This is a New Detection Cloudflare Managed Ruleset 100813 Apache Tomcat - DoS - CVE:CVE-2025-31650 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100815 MongoDB - Remote Code Execution - CVE:CVE-2024-53900, CVE:CVE-2025-23061 Log Block This is a New Detection Cloudflare Managed Ruleset 100816 MongoDB - Remote Code Execution - CVE:CVE-2024-53900, CVE:CVE-2025-23061 Log Block This is a New Detection -
This week's update highlights several high-impact vulnerabilities affecting Microsoft SharePoint Server. These flaws, involving unsafe deserialization, allow unauthenticated remote code execution over the network, posing a critical threat to enterprise environments relying on SharePoint for collaboration and document management.
Key Findings
- Microsoft SharePoint Server (CVE-2025-53770): A critical vulnerability involving unsafe deserialization of untrusted data, enabling unauthenticated remote code execution over the network. This flaw allows attackers to execute arbitrary code on vulnerable SharePoint servers without user interaction.
- Microsoft SharePoint Server (CVE-2025-53771): A closely related deserialization issue that can be exploited by unauthenticated attackers, potentially leading to full system compromise. The vulnerability highlights continued risks around insecure serialization logic in enterprise collaboration platforms.
Impact
Together, these vulnerabilities significantly weaken the security posture of on-premise Microsoft SharePoint Server deployments. By enabling remote code execution without authentication, they open the door for attackers to gain persistent access, deploy malware, and move laterally across enterprise environments.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100817 Microsoft SharePoint - Deserialization - CVE:CVE-2025-53770 N/A Block This is a New Detection Cloudflare Managed Ruleset 100818 Microsoft SharePoint - Deserialization - CVE:CVE-2025-53771 N/A Block This is a New Detection For more details, also refer to our blog ↗.
This week's update spotlights several critical vulnerabilities across Citrix NetScaler Memory Disclosure, FTP servers and network application. Several flaws enable unauthenticated remote code execution or sensitive data exposure, posing a significant risk to enterprise security.
Key Findings
- Wing FTP Server (CVE-2025-47812): A critical Remote Code Execution (RCE) vulnerability that enables unauthenticated attackers to execute arbitrary code with root/SYSTEM-level privileges by exploiting a Lua injection flaw.
- Infoblox NetMRI (CVE-2025-32813): A remote unauthenticated command injection flaw that allows an attacker to execute arbitrary commands, potentially leading to unauthorized access.
- Citrix Netscaler ADC (CVE-2025-5777, CVE-2023-4966): A sensitive information disclosure vulnerability, also known as "Citrix Bleed2", that allows the disclosure of memory and subsequent remote access session hijacking.
- Akamai CloudTest (CVE-2025-49493): An XML External Entity (XXE) injection that could lead to read local files on the system by manipulating XML input.
Impact
These vulnerabilities affect critical enterprise infrastructure, from file transfer services and network management appliances to application delivery controllers. The Wing FTP RCE and Infoblox command injection flaws offer direct paths to deep system compromise, while the Citrix "Bleed2" and Akamai XXE vulnerabilities undermine system integrity by enabling session hijacking and sensitive data theft.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100804 BerriAI - SSRF - CVE:CVE-2024-6587 Log Log This is a New Detection Cloudflare Managed Ruleset 100805 Wing FTP Server - Remote Code Execution - CVE:CVE-2025-47812 Log Block This is a New Detection Cloudflare Managed Ruleset 100807 Infoblox NetMRI - Command Injection - CVE:CVE-2025-32813 Log Block This is a New Detection Cloudflare Managed Ruleset 100808 Citrix Netscaler ADC - Buffer Error - CVE:CVE-2025-5777 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100809 Citrix Netscaler ADC - Information Disclosure - CVE:CVE-2023-4966 Log Block This is a New Detection Cloudflare Managed Ruleset 100810 Akamai CloudTest - XXE - CVE:CVE-2025-49493 Log Block This is a New Detection
This week’s vulnerability analysis highlights emerging web application threats that exploit modern JavaScript behavior and SQL parsing ambiguities. Attackers continue to refine techniques such as attribute overloading and obfuscated logic manipulation to evade detection and compromise front-end and back-end systems.
Key Findings
- XSS – Attribute Overloading: A novel cross-site scripting technique where attackers abuse custom or non-standard HTML attributes to smuggle payloads into the DOM. These payloads evade traditional sanitization logic, especially in frameworks that loosely validate attributes or trust unknown tokens.
- XSS – onToggle Event Abuse: Exploits the lesser-used onToggle event (triggered by elements like
<details>) to execute arbitrary JavaScript when users interact with UI elements. This vector is often overlooked by static analyzers and can be embedded in seemingly benign components.
Impact
These vulnerabilities target both user-facing components and back-end databases, introducing potential vectors for credential theft, session hijacking, or full data exfiltration. The XSS variants bypass conventional filters through overlooked HTML behaviors, while the obfuscated SQLi enables attackers to stealthily probe back-end logic, making them especially difficult to detect and block.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100798 XSS - Attribute Overloading Log Block This is a New Detection Cloudflare Managed Ruleset 100799 XSS - OnToggle Log Block This is a New Detection
We have significantly increased the limits for IP Lists on Enterprise plans to provide greater flexibility and control:
- Total number of lists: Increased from 10 to 1,000.
- Total number of list items: Increased from 10,000 to 500,000.
Limits for other list types and plans remain unchanged. For more details, refer to the lists availability.
This week’s roundup uncovers critical vulnerabilities affecting enterprise VoIP systems, webmail platforms, and a popular JavaScript framework. The risks range from authentication bypass to remote code execution (RCE) and buffer handling flaws, each offering attackers a path to elevate access or fully compromise systems.
Key Findings
- Next.js - Auth Bypass: A newly detected authentication bypass flaw in the Next.js framework allows attackers to access protected routes or APIs without proper authorization, undermining application access controls.
- Fortinet FortiVoice (CVE-2025-32756): A buffer error vulnerability in FortiVoice systems that could lead to memory corruption and potential code execution or service disruption in enterprise telephony environments.
- Roundcube (CVE-2025-49113): A critical RCE flaw allowing unauthenticated attackers to execute arbitrary PHP code via crafted requests, leading to full compromise of mail servers and user inboxes.
Impact
These vulnerabilities affect core business infrastructure, from web interfaces to voice communications and email platforms. The Roundcube RCE and FortiVoice buffer flaw offer potential for deep system access, while the Next.js auth bypass undermines trust boundaries in modern web apps.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100795 Next.js - Auth Bypass Log Disabled This is a New Detection Cloudflare Managed Ruleset 100796 Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100797 Roundcube - Remote Code Execution - CVE:CVE-2025-49113 Log Disabled This is a New Detection
This week’s roundup highlights multiple critical vulnerabilities across popular web frameworks, plugins, and enterprise platforms. The focus lies on remote code execution (RCE), server-side request forgery (SSRF), and insecure file upload vectors that enable full system compromise or data exfiltration.
Key Findings
- Cisco IOS XE (CVE-2025-20188): Critical RCE vulnerability enabling unauthenticated attackers to execute arbitrary commands on network infrastructure devices, risking total router compromise.
- Axios (CVE-2024-39338): SSRF flaw impacting server-side request control, allowing attackers to manipulate internal service requests when misconfigured with unsanitized user input.
- vBulletin (CVE-2025-48827, CVE-2025-48828): Two high-impact RCE flaws enabling attackers to remotely execute PHP code, compromising forum installations and underlying web servers.
- Invision Community (CVE-2025-47916): A critical RCE vulnerability allowing authenticated attackers to run arbitrary code in community platforms, threatening data and lateral movement risk.
- CrushFTP (CVE-2025-32102, CVE-2025-32103): SSRF vulnerabilities in upload endpoint processing permit attackers to pivot internal network scans and abuse internal services.
- Roundcube (CVE-2025-49113): RCE via email processing enables attackers to execute code upon viewing a crafted email — particularly dangerous for webmail deployments.
- WooCommerce WordPress Plugin (CVE-2025-47577): Dangerous file upload vulnerability permits unauthenticated users to upload executable payloads, leading to full WordPress site takeover.
- Cross-Site Scripting (XSS) Detection Improvements: Enhanced detection patterns.
Impact
These vulnerabilities span core systems — from routers to e-commerce to email. RCE in Cisco IOS XE, Roundcube, and vBulletin poses full system compromise. SSRF in Axios and CrushFTP supports internal pivoting, while WooCommerce’s file upload bug opens doors to mass WordPress exploitation.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100783 Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188 Log Block This is a New Detection Cloudflare Managed Ruleset 100784 Axios - SSRF - CVE:CVE-2024-39338 Log Block This is a New Detection Cloudflare Managed Ruleset 100785 vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828
Log Block This is a New Detection Cloudflare Managed Ruleset 100786 Invision Community - Remote Code Execution - CVE:CVE-2025-47916 Log Block This is a New Detection Cloudflare Managed Ruleset 100791 CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103 Log Block This is a New Detection Cloudflare Managed Ruleset 100792 Roundcube - Remote Code Execution - CVE:CVE-2025-49113 Log Block This is a New Detection Cloudflare Managed Ruleset 100793 XSS - Ontoggle Log Disabled This is a New Detection Cloudflare Managed Ruleset 100794 WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577
Log Block This is a New Detection
This week’s update spotlights four critical vulnerabilities across CMS platforms, VoIP systems, and enterprise applications. Several flaws enable remote code execution or privilege escalation, posing significant enterprise risks.
Key Findings
- WordPress OttoKit Plugin (CVE-2025-27007): Privilege escalation flaw allows unauthenticated attackers to create or elevate user accounts, compromising WordPress administrative control.
- SAP NetWeaver (CVE-2025-42999): Remote Code Execution vulnerability enables attackers to execute arbitrary code on SAP NetWeaver systems, threatening core ERP and business operations.
- Fortinet FortiVoice (CVE-2025-32756): Buffer error vulnerability may lead to memory corruption and potential code execution, directly impacting enterprise VoIP infrastructure.
- Camaleon CMS (CVE-2024-46986): Remote Code Execution vulnerability allows attackers to gain full control over Camaleon CMS installations, exposing hosted content and underlying servers.
Impact
These vulnerabilities target widely deployed CMS, ERP, and VoIP systems. RCE flaws in SAP NetWeaver and Camaleon CMS allow full takeover of business-critical applications. Privilege escalation in OttoKit exposes WordPress environments to full administrative compromise. FortiVoice buffer handling issues risk destabilizing or fully compromising enterprise telephony systems.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100769 WordPress OttoKit Plugin - Privilege Escalation - CVE:CVE-2025-27007
Log Block This is a New Detection Cloudflare Managed Ruleset 100770 SAP NetWeaver - Remote Code Execution - CVE:CVE-2025-42999 Log Block This is a New Detection Cloudflare Managed Ruleset 100779 Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756 Log Block This is a New Detection Cloudflare Managed Ruleset 100780 Camaleon CMS - Remote Code Execution - CVE:CVE-2024-46986 Log Block This is a New Detection
This week’s roundup highlights five high-risk vulnerabilities affecting SD-WAN, load balancers, and AI platforms. Several flaws enable unauthenticated remote code execution or authentication bypass.
Key Findings
- Versa Concerto SD-WAN (CVE-2025-34026, CVE-2025-34027): Authentication bypass vulnerabilities allow attackers to gain unauthorized access to SD-WAN management interfaces, compromising network segmentation and control.
- Kemp LoadMaster (CVE-2024-7591): Remote Code Execution vulnerability enables attackers to execute arbitrary commands, potentially leading to full device compromise within enterprise load balancing environments.
- AnythingLLM (CVE-2024-0759): Server-Side Request Forgery (SSRF) flaw allows external attackers to force the LLM backend to make unauthorized internal network requests, potentially exposing sensitive internal resources.
- Anyscale Ray (CVE-2023-48022): Remote Code Execution vulnerability affecting distributed AI workloads, allowing attackers to execute arbitrary code on Ray cluster nodes.
- Server-Side Request Forgery (SSRF) - Generic & Obfuscated Payloads: Ongoing advancements in SSRF payload techniques observed, including obfuscation and expanded targeting of cloud metadata services and internal IP ranges.
Impact
These vulnerabilities expose critical infrastructure across networking, AI platforms, and SaaS integrations. Unauthenticated RCE and auth bypass flaws in Versa Concerto, Kemp LoadMaster, and Anyscale Ray allow full system compromise. AnythingLLM and SSRF payload variants expand attack surfaces into internal cloud resources, sensitive APIs, and metadata services, increasing risk of privilege escalation, data theft, and persistent access.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100764 Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34027 Log Block This is a New Detection Cloudflare Managed Ruleset 100765 Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34026 Log Block This is a New Detection Cloudflare Managed Ruleset 100766 Kemp LoadMaster - Remote Code Execution - CVE:CVE-2024-7591 Log Block This is a New Detection Cloudflare Managed Ruleset 100767 AnythingLLM - SSRF - CVE:CVE-2024-0759 Log Block This is a New Detection Cloudflare Managed Ruleset 100768 Anyscale Ray - Remote Code Execution - CVE:CVE-2023-48022 Log Block This is a New Detection Cloudflare Managed Ruleset 100781 SSRF - Generic Payloads N/A Disabled This is a New Detection Cloudflare Managed Ruleset 100782 SSRF - Obfuscated Payloads N/A Disabled This is a New Detection
We have deployed an updated attack score model focused on enhancing the detection of multiple false positives (FPs).
As a result of this improvement, some changes in observed attack scores are expected.
This week’s roundup covers nine vulnerabilities, including six critical RCEs and one dangerous file upload. Affected platforms span cloud services, CI/CD pipelines, CMSs, and enterprise backup systems. Several are now addressed by updated WAF managed rulesets.
Key Findings
- Ingress-Nginx (CVE-2025-1098): Unauthenticated RCE via unsafe annotation handling. Impacts Kubernetes clusters.
- GitHub Actions (CVE-2025-30066): RCE through malicious workflow inputs. Targets CI/CD pipelines.
- Craft CMS (CVE-2025-32432): Template injection enables unauthenticated RCE. High risk to content-heavy sites.
- F5 BIG-IP (CVE-2025-31644): RCE via TMUI exploit, allowing full system compromise.
- AJ-Report (CVE-2024-15077): RCE through untrusted template execution. Affects reporting dashboards.
- NAKIVO Backup (CVE-2024-48248): RCE via insecure script injection. High-value target for ransomware.
- SAP NetWeaver (CVE-2025-31324): Dangerous file upload flaw enables remote shell deployment.
- Ivanti EPMM (CVE-2025-4428, 4427): Auth bypass allows full access to mobile device management.
- Vercel (CVE-2025-32421): Information leak via misconfigured APIs. Useful for attacker recon.
Impact
These vulnerabilities expose critical components across Kubernetes, CI/CD pipelines, and enterprise systems to severe threats including unauthenticated remote code execution, authentication bypass, and information leaks. High-impact flaws in Ingress-Nginx, Craft CMS, F5 BIG-IP, and NAKIVO Backup enable full system compromise, while SAP NetWeaver and AJ-Report allow remote shell deployment and template-based attacks. Ivanti EPMM’s auth bypass further risks unauthorized control over mobile device fleets.
GitHub Actions and Vercel introduce supply chain and reconnaissance risks, allowing malicious workflow inputs and data exposure that aid in targeted exploitation. Organizations should prioritize immediate patching, enhance monitoring, and deploy updated WAF and IDS signatures to defend against likely active exploitation.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100746 Vercel - Information Disclosure Log Disabled This is a New Detection Cloudflare Managed Ruleset 100754 AJ-Report - Remote Code Execution - CVE:CVE-2024-15077 Log Block This is a New Detection Cloudflare Managed Ruleset 100756 NAKIVO Backup - Remote Code Execution - CVE:CVE-2024-48248 Log Block This is a New Detection Cloudflare Managed Ruleset 100757 Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1098 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100759 SAP NetWeaver - Dangerous File Upload - CVE:CVE-2025-31324 Log Block This is a New Detection Cloudflare Managed Ruleset 100760 Craft CMS - Remote Code Execution - CVE:CVE-2025-32432 Log Block This is a New Detection Cloudflare Managed Ruleset 100761 GitHub Action - Remote Code Execution - CVE:CVE-2025-30066 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100762 Ivanti EPMM - Auth Bypass - CVE:CVE-2025-4428, CVE:CVE-2025-4427 Log Block This is a New Detection Cloudflare Managed Ruleset 100763 F5 Big IP - Remote Code Execution - CVE:CVE-2025-31644 Log Disabled This is a New Detection
This week's analysis covers four vulnerabilities, with three rated critical due to their Remote Code Execution (RCE) potential. One targets a high-traffic frontend platform, while another targets a popular content management system. These detections are now part of the Cloudflare Managed Ruleset in Block mode.
Key Findings
- Commvault Command Center (CVE-2025-34028) exposes an unauthenticated RCE via insecure command injection paths in the web UI. This is critical due to its use in enterprise backup environments.
- BentoML (CVE-2025-27520) reveals an exploitable vector where serialized payloads in model deployment APIs can lead to arbitrary command execution. This targets modern AI/ML infrastructure.
- Craft CMS (CVE-2024-56145) allows RCE through template injection in unauthenticated endpoints. It poses a significant risk for content-heavy websites with plugin extensions.
- Apache HTTP Server (CVE-2024-38475) discloses sensitive server config data due to misconfigured
mod_proxybehavior. While not RCE, this is useful for pre-attack recon.
Impact
These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort.
Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100745 Apache HTTP Server - Information Disclosure - CVE:CVE-2024-38475 Log Block This is a New Detection Cloudflare Managed Ruleset 100747 Commvault Command Center - Remote Code Execution - CVE:CVE-2025-34028
Log Block This is a New Detection Cloudflare Managed Ruleset 100749 BentoML - Remote Code Execution - CVE:CVE-2025-27520 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100753 Craft CMS - Remote Code Execution - CVE:CVE-2024-56145 Log Block This is a New Detection
We have upgraded WAF Payload Logging to enhance rule diagnostics and usability:
- Targeted logging: Logs now capture only the specific portions of requests that triggered WAF rules, rather than entire request segments.
- Visual highlighting: Matched content is visually highlighted in the UI for faster identification.
- Enhanced context: Logs now include surrounding context to make diagnostics more effective.
Payload Logging is available to all Enterprise customers. If you have not used Payload Logging before, check how you can get started.
Note: The structure of the
encrypted_matched_datafield in Logpush has changed fromMap<Field, Value>toMap<Field, {Before: bytes, Content: Value, After: bytes}>. If you rely on this field in your Logpush jobs, you should review and update your processing logic accordingly.
This week's analysis covers five CVEs with varying impact levels. Four are rated critical, while one is rated high severity. Remote Code Execution vulnerabilities dominate this set.
Key Findings
GFI KerioControl (CVE-2024-52875) contains an unauthenticated Remote Code Execution (RCE) vulnerability that targets firewall appliances. This vulnerability can let attackers gain root level system access, making this CVE particularly attractive for threat actors.
The SonicWall SMA vulnerabilities remain concerning due to their continued exploitation since 2021. These critical vulnerabilities in remote access solutions create dangerous entry points to networks.
Impact
Customers using the Managed Ruleset will receive rule coverage following this week's release. Below is a breakdown of the recommended prioritization based on current exploitation trends:
- GFI KerioControl (CVE-2024-52875) - Highest priority; unauthenticated RCE
- SonicWall SMA (Multiple vulnerabilities) - Critical for network appliances
- XWiki (CVE-2025-24893) - High priority for development environments
- Langflow (CVE-2025-3248) - Important for AI workflow platforms
- MinIO (CVE-2025-31489) - Important for object storage implementations
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100724 GFI KerioControl - Remote Code Execution - CVE:CVE-2024-52875 Log Block This is a New Detection Cloudflare Managed Ruleset 100748 XWiki - Remote Code Execution - CVE:CVE-2025-24893 Log Block This is a New Detection Cloudflare Managed Ruleset 100750 SonicWall SMA - Dangerous File Upload - CVE:CVE-2021-20040, CVE:CVE-2021-20041, CVE:CVE-2021-20042
Log Block This is a New Detection Cloudflare Managed Ruleset 100751 Langflow - Remote Code Execution - CVE:CVE-2025-3248 Log Block This is a New Detection Cloudflare Managed Ruleset 100752 MinIO - Auth Bypass - CVE:CVE-2025-31489 Log Block This is a New Detection
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100755 React.js - Router and Remix Vulnerability - CVE:CVE-2025-43864, CVE:CVE-2025-43865
Block Block This is a New Detection
Each of this week's rule releases covers a distinct CVE, with half of the rules targeting Remote Code Execution (RCE) attacks. Of the 6 CVEs covered, four were scored as critical, with the other two scored as high.
When deciding which exploits to tackle, Cloudflare tunes into the attackers' areas of focus. Cloudflare's network intelligence provides a unique lens into attacker activity – for instance, through the volume of blocked requests related with CVE exploits after updating WAF Managed Rules with new detections.
From this week's releases, one indicator that RCE is a "hot topic" attack type is the fact that the Oracle PeopleSoft RCE rule accounts for half of all of the new rule matches. This rule patches CVE-2023-22047, a high-severity vulnerability in the Oracle PeopleSoft suite that allows unauthenticated attackers to access PeopleSoft Enterprise PeopleTools data through remote code execution. This is particularly concerning because of the nature of the data managed by PeopleSoft – this can include payroll records or student profile information. This CVE, along with five others, are addressed with the latest detection update to WAF Managed Rules.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100738 GitLab - Auth Bypass - CVE:CVE-2023-7028 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100740 Splunk Enterprise - Remote Code Execution - CVE:CVE-2025-20229 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100741 Oracle PeopleSoft - Remote Code Execution - CVE:CVE-2023-22047 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100742 CrushFTP - Auth Bypass - CVE:CVE-2025-31161 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100743 Ivanti - Buffer Error - CVE:CVE-2025-22457 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100744 Oracle Access Manager - Remote Code Execution - CVE:CVE-2021-35587
Log Disabled This is a New Detection
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100739A Next.js - Auth Bypass - CVE:CVE-2025-29927 - 2 Log Disabled This is a New Detection
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100732 Sitecore - Code Injection - CVE:CVE-2025-27218 Log Block This is a New Detection Cloudflare Managed Ruleset 100733 Angular-Base64-Upload - Remote Code Execution - CVE:CVE-2024-42640
Log Block This is a New Detection Cloudflare Managed Ruleset 100734 Apache Camel - Remote Code Execution - CVE:CVE-2025-29891 Log Disabled This is a New Detection Cloudflare Managed Ruleset 100735 Progress Software WhatsUp Gold - Remote Code Execution - CVE:CVE-2024-4885
Log Block This is a New Detection Cloudflare Managed Ruleset 100737 Apache Tomcat - Remote Code Execution - CVE:CVE-2025-24813 Log Block This is a New Detection Cloudflare Managed Ruleset 100659 Common Payloads for Server-side Template Injection N/A Disabled N/A Cloudflare Managed Ruleset 100659 Common Payloads for Server-side Template Injection - Base64 N/A Disabled N/A Cloudflare Managed Ruleset 100642 LDAP Injection N/A Disabled N/A Cloudflare Managed Ruleset 100642 LDAP Injection Base64 N/A Disabled N/A Cloudflare Managed Ruleset 100005 DotNetNuke - File Inclusion - CVE:CVE-2018-9126, CVE:CVE-2011-1892, CVE:CVE-2022-31474
N/A Disabled N/A Cloudflare Managed Ruleset 100527 Apache Struts - CVE:CVE-2021-31805 N/A Block N/A Cloudflare Managed Ruleset 100702 Command Injection - CVE:CVE-2022-24108 N/A Block N/A Cloudflare Managed Ruleset 100622C Ivanti - Command Injection - CVE:CVE-2023-46805, CVE:CVE-2024-21887, CVE:CVE-2024-22024
N/A Block N/A Cloudflare Managed Ruleset 100536C GraphQL Command Injection N/A Disabled N/A Cloudflare Managed Ruleset 100536 GraphQL Injection N/A Disabled N/A Cloudflare Managed Ruleset 100536A GraphQL Introspection N/A Disabled N/A Cloudflare Managed Ruleset 100536B GraphQL SSRF N/A Disabled N/A Cloudflare Managed Ruleset 100559A Prototype Pollution - Common Payloads N/A Disabled N/A Cloudflare Managed Ruleset 100559A Prototype Pollution - Common Payloads - Base64 N/A Disabled N/A Cloudflare Managed Ruleset 100734 Apache Camel - Remote Code Execution - CVE:CVE-2025-29891 N/A Disabled N/A
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 100739 Next.js - Auth Bypass - CVE:CVE-2025-29927 N/A Disabled This is a New Detection