Skip to content

WAF Release - 24 November #26717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Nov 24, 2025
+77 −33
Merged

WAF Release - 24 November #26717

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c4b0bb1
WAF Release - 24 November
fb1337 Nov 24, 2025
093abf7
Update src/content/changelog/waf/2025-11-24-waf-release.mdx
fb1337 Nov 24, 2025
b2e5b4e
Update 2025-11-24-waf-release.mdx
fb1337 Nov 24, 2025
cae123d
rule id added
fb1337 Nov 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions src/content/changelog/waf/2025-11-24-waf-release.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
title: "WAF Release - 2025-11-24"
description: Cloudflare WAF managed rulesets 2025-11-24 release
date: 2025-11-24
---

import { RuleID } from "~/components";

This week highlights enhancements to detection signatures improving coverage for vulnerabilities in FortiWeb, linked to CVE-2025-64446, alongside new detection logic expanding protection against PHP Wrapper Injection techniques.

**Key Findings**

This vulnerability enables an unauthenticated attacker to bypass access controls by abusing the `CGIINFO` header. The latest update strengthens detection logic to ensure a reliable identification of crafted requests attempting to exploit this flaw.

**Impact**

- FortiWeb (CVE-2025-64446): Exploitation allows a remote unauthenticated adversary to circumvent authentication mechanisms by sending a manipulated `CGIINFO` header to FortiWeb’s backend CGI handler. Successful exploitation grants unintended access to restricted administrative functionality, potentially enabling configuration tampering or system-level actions.

<table style="width: 100%">
<thead>
<tr>
<th>Ruleset</th>
<th>Rule ID</th>
<th>Legacy Rule ID</th>
<th>Description</th>
<th>Previous Action</th>
<th>New Action</th>
<th>Comments</th>
</tr>
</thead>
<tbody>
<tr>
<td>Cloudflare Managed Ruleset</td>
<td>
<RuleID id="b957ace6e9844bf29244401c4e2e1a2e" />
</td>
<td>N/A</td>
<td>FortiWeb - Authentication Bypass via CGIINFO Header - CVE:CVE-2025-64446</td>
<td>Log</td>
<td>Block</td>
<td>This is a new detection</td>
</tr>
<tr>
<td>Cloudflare Managed Ruleset</td>
<td>
<RuleID id="e3871391a93248fa98a78e03b6c44ed5" />
</td>
<td>N/A</td>
<td>PHP Wrapper Injection - Body - Beta</td>
<td>Log</td>
<td>Disabled</td>
<td>This rule has been merged into the original rule "PHP Wrapper Injection - Body" (ID:<RuleID id="fae6fa37ae9249d58628e54b1a3e521e" />)</td>
</tr>
<tr>
<td>Cloudflare Managed Ruleset</td>
<td>
<RuleID id="e6b1b66e0e3b46969102baed900f4015" />
</td>
<td>N/A</td>
<td>PHP Wrapper Injection - URI - Beta</td>
<td>Log</td>
<td>Disabled</td>
<td>This rule has been merged into the original rule "PHP Wrapper Injection - URI" (ID:<RuleID id="9c02e585db34440da620eb668f76bd74" />)</td>
</tr>
</tbody>
</table>
42 changes: 10 additions & 32 deletions src/content/changelog/waf/scheduled-waf-release.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: WAF Release - Scheduled changes for 2025-11-24
description: WAF managed ruleset changes scheduled for 2025-11-24
date: 2025-11-17
title: WAF Release - Scheduled changes for 2025-12-01
description: WAF managed ruleset changes scheduled for 2025-12-01
date: 2025-11-24
scheduled: true
---

Expand All @@ -20,49 +20,27 @@ import { RuleID } from "~/components";
</tr>
</thead>
<tbody>
<tr>
<td>2025-11-17</td>
<td>2025-11-24</td>
<td>Log</td>
<td>N/A</td>
<td>
<RuleID id="e3871391a93248fa98a78e03b6c44ed5" />
</td>
<td>PHP Wrapper Injection - Body - Beta</td>
<td>This is a beta detection and will replace the action on original detection "PHP Wrapper Injection - Body" (ID: <RuleID id="fae6fa37ae9249d58628e54b1a3e521e" />)</td>
</tr>
<tr>
<td>2025-11-17</td>
<td>2025-11-24</td>
<td>Log</td>
<td>N/A</td>
<td>
<RuleID id="e6b1b66e0e3b46969102baed900f4015" />
</td>
<td>PHP Wrapper Injection - URI - Beta</td>
<td>This is a beta detection and will replace the action on original detection "PHP Wrapper Injection - URI" (ID: <RuleID id="9c02e585db34440da620eb668f76bd74" />)</td>
</tr>
<tr>
<td>2025-11-17</td>
<tr>
<td>2025-11-24</td>
<td>2025-12-01</td>
<td>Log</td>
<td>N/A</td>
<td>
<RuleID id="b957ace6e9844bf29244401c4e2e1a2e" />
<RuleID id="000000000000000000000000000000" />
</td>
<td>FortiWeb - Authentication Bypass via CGIINFO Header - CVE:CVE-2025-64446</td>
<td>This is a new detection</td>
<td>Monsta FTP - Remote Code Execution - CVE:CVE-2025-34299</td>
<td>This is a new detection</td>
</tr>
<tr>
<td>2025-11-17</td>
<td>2025-11-24</td>
<td>2025-12-01</td>
<td>Log</td>
<td>N/A</td>
<td>
<RuleID id="2380b125c53d42ac94479c42b7492846" />
</td>
<td>XSS - JS Context Escape - Beta</td>
<td>This is a beta detection and will replace the action on original detection "PHP Wrapper Injection - URI" (ID: <RuleID id="c1ad1bc37caa4cbeb104f44f7a3769d3" />)</td>
<td>This is a beta detection and will replace the action on original detection "XSS - JS Context Escape" (ID: <RuleID id="c1ad1bc37caa4cbeb104f44f7a3769d3" />)</td>
</tr>
</tbody>
</table>
Loading