WAF Release - 24 November (#26717)

* WAF Release - 24 November * Update src/content/changelog/waf/2025-11-24-waf-release.mdx Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> * Update 2025-11-24-waf-release.mdx * rule id added --------- Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
2026-01-11 20:06:58 +00:00 · 2025-11-24 20:13:13 +00:00 · 2025-11-24 20:13:13 +00:00 · e201c05f5e
commit e201c05f5e
parent 9ee3a91d04
2 changed files with 77 additions and 33 deletions
--- a/src/content/changelog/waf/2025-11-24-waf-release.mdx
+++ b/src/content/changelog/waf/2025-11-24-waf-release.mdx
@ -0,0 +1,66 @@
+---
+title: "WAF Release - 2025-11-24"
+description: Cloudflare WAF managed rulesets 2025-11-24 release
+date: 2025-11-24
+---
+
+import { RuleID } from "~/components";
+
+This week highlights enhancements to detection signatures improving coverage for vulnerabilities in FortiWeb, linked to CVE-2025-64446, alongside new detection logic expanding protection against PHP Wrapper Injection techniques.
+
+**Key Findings**
+
+This vulnerability enables an unauthenticated attacker to bypass access controls by abusing the `CGIINFO` header. The latest update strengthens detection logic to ensure a reliable identification of crafted requests attempting to exploit this flaw.
+
+**Impact**
+
+- FortiWeb (CVE-2025-64446): Exploitation allows a remote unauthenticated adversary to circumvent authentication mechanisms by sending a manipulated `CGIINFO` header to FortiWeb’s backend CGI handler. Successful exploitation grants unintended access to restricted administrative functionality, potentially enabling configuration tampering or system-level actions.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="b957ace6e9844bf29244401c4e2e1a2e" />
+			</td>
+			<td>N/A</td>
+			<td>FortiWeb - Authentication Bypass via CGIINFO Header - CVE:CVE-2025-64446</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a new detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="e3871391a93248fa98a78e03b6c44ed5" />
+			</td>
+			<td>N/A</td>
+			<td>PHP Wrapper Injection - Body - Beta</td>
+			<td>Log</td>
+			<td>Disabled</td>
+			<td>This rule has been merged into the original rule "PHP Wrapper Injection - Body" (ID:<RuleID id="fae6fa37ae9249d58628e54b1a3e521e" />)</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="e6b1b66e0e3b46969102baed900f4015" />
+			</td>
+			<td>N/A</td>
+			<td>PHP Wrapper Injection - URI - Beta</td>
+			<td>Log</td>
+			<td>Disabled</td>
+			<td>This rule has been merged into the original rule "PHP Wrapper Injection - URI" (ID:<RuleID id="9c02e585db34440da620eb668f76bd74" />)</td>
+		</tr>
+	</tbody>
+</table>
--- a/src/content/changelog/waf/scheduled-waf-release.mdx
+++ b/src/content/changelog/waf/scheduled-waf-release.mdx
@ -1,7 +1,7 @@
 ---
-title: WAF Release - Scheduled changes for 2025-11-24
-description: WAF managed ruleset changes scheduled for 2025-11-24
-date: 2025-11-17
+title: WAF Release - Scheduled changes for 2025-12-01
+description: WAF managed ruleset changes scheduled for 2025-12-01
+date: 2025-11-24
 scheduled: true
 ---

@ -20,49 +20,27 @@ import { RuleID } from "~/components";
    </tr>
  </thead>
  <tbody>
-   <tr>
-      <td>2025-11-17</td>
+  <tr>
      <td>2025-11-24</td>
+      <td>2025-12-01</td>
      <td>Log</td>
      <td>N/A</td>
      <td>
-        <RuleID id="e3871391a93248fa98a78e03b6c44ed5" />
+        <RuleID id="480da5e7984542a6b8d8d88da4fcc8a8" />
      </td>
-      <td>PHP Wrapper Injection - Body - Beta</td>
-      <td>This is a beta detection and will replace the action on original detection "PHP Wrapper Injection - Body" (ID: <RuleID id="fae6fa37ae9249d58628e54b1a3e521e" />)</td>
+      <td>Monsta FTP - Remote Code Execution - CVE:CVE-2025-34299</td>
+      <td>This is a new detection</td> 
   </tr>
   <tr>
-      <td>2025-11-17</td>
-      <td>2025-11-24</td>
-      <td>Log</td>
-      <td>N/A</td>
-      <td>
-        <RuleID id="e6b1b66e0e3b46969102baed900f4015" />
-      </td>
-      <td>PHP Wrapper Injection - URI - Beta</td>
-      <td>This is a beta detection and will replace the action on original detection "PHP Wrapper Injection - URI" (ID: <RuleID id="9c02e585db34440da620eb668f76bd74" />)</td>
-   </tr>   
-    <tr>
-      <td>2025-11-17</td>
-      <td>2025-11-24</td>
-      <td>Log</td>
-      <td>N/A</td>
-      <td>
-        <RuleID id="b957ace6e9844bf29244401c4e2e1a2e" />
-      </td>
-      <td>FortiWeb - Authentication Bypass via CGIINFO Header - CVE:CVE-2025-64446</td>
-      <td>This is a new detection</td>
-   </tr>
-   <tr>
-      <td>2025-11-17</td>
      <td>2025-11-24</td>
+      <td>2025-12-01</td>
      <td>Log</td>
      <td>N/A</td>
      <td>
        <RuleID id="2380b125c53d42ac94479c42b7492846" />
      </td>
      <td>XSS - JS Context Escape - Beta</td>
-      <td>This is a beta detection and will replace the action on original detection "PHP Wrapper Injection - URI" (ID: <RuleID id="c1ad1bc37caa4cbeb104f44f7a3769d3" />)</td>
+      <td>This is a beta detection and will replace the action on original detection "XSS - JS Context Escape" (ID: <RuleID id="c1ad1bc37caa4cbeb104f44f7a3769d3" />)</td>
   </tr>  
  </tbody>
-</table>
+</table>