WAF – WAF Release – 2025-10-06

WAF – WAF Release – 2025-10-06

This week’s highlights prioritise an emergency Oracle E-Business Suite RCE rule deployed to block active, high-impact exploitation. Also addressed are high-severity Chaos Mesh controller command-injection flaws that enable unauthenticated in-cluster RCE and potential cluster compromise, plus a form-data multipart boundary issue that permits HTTP Parameter Pollution (HPP). Two new generic SQLi detections were added to catch inline-comment obfuscation and information disclosure techniques.

Key Findings

  • New emergency rule released for Oracle E-Business Suite (CVE-2025-61882) addressing an actively exploited remote code execution vulnerability in core business application modules. Immediate mitigation deployed to protect enterprise workloads.

  • Chaos Mesh (CVE-2025-59358,CVE-2025-59359,CVE-2025-59360,CVE-2025-59361): A GraphQL debug endpoint on the Chaos Controller Manager is exposed without authentication; several controller mutations (cleanTcs, killProcesses, cleanIptables) are vulnerable to OS command injection.

  • Form-Data (CVE-2025-7783): Attackers who can observe Math.random() outputs and control request fields in form-data may exploit this flaw to perform HTTP parameter pollution, leading to request tampering or data manipulation.

  • Two new generic SQLi detections added to enhance baseline coverage against inline-comment obfuscation and information disclosure attempts.

Impact

  • CVE-2025-61882 — Oracle E-Business Suite remote code execution (emergency detection): attacker-controlled input can yield full system compromise, data exfiltration, and operational outage; immediate blocking enforced.

  • CVE-2025-59358 / CVE-2025-59359 / CVE-2025-59360 / CVE-2025-59361 — Unauthenticated command-injection in Chaos Mesh controllers allowing remote code execution, cluster compromise, and service disruption (high availability risk).

  • CVE-2025-7783 — Predictable multipart boundaries in form-data enabling HTTP Parameter Pollution; results include request tampering, parameter overwrite, and downstream data integrity loss.

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
Cloudflare Managed Ruleset0c9bf31ab6fa41fc8f12daaf8650f52f 100882Chaos Mesh – Missing Authentication – CVE:CVE-2025-59358LogDisabledThis is a New Detection
Cloudflare Managed Ruleset5d459ed434ed446c9580c73c2b8c3680 100883Chaos Mesh – Command Injection – CVE:CVE-2025-59359LogBlockThis is a New Detection
Cloudflare Managed Ruleseta2591ba5befa4815a6861aefef859a04 100884Chaos Mesh – Command Injection – CVE:CVE-2025-59361LogBlockThis is a New Detection
Cloudflare Managed Ruleset05eea4fabf6f4cf3aac1094b961f26a7 100886Form-Data – Parameter Pollution – CVE:CVE-2025-7783LogBlockThis is a New Detection
Cloudflare Managed Ruleset90514c7810694b188f56979826a4074c 100888Chaos Mesh – Command Injection – CVE:CVE-2025-59360LogBlockThis is a New Detection
Cloudflare Managed Ruleset42fbc8c09ec84578b9633ffc31101b2f 100916Oracle E-Business Suite – Remote Code Execution – CVE:CVE-2025-61882N/ABlockThis is a New Detection
Cloudflare Managed Rulesetbadc687a3ba3420a844220b129aa43c3 100917Generic Rules – SQLi – Inline Comment InjectionN/ADisabledThis is a New Detection
Cloudflare Managed Ruleset28fa27511f29428899ceb5a273c10b6f 100918Generic Rules – SQLi – Information DisclosureN/ADisabledThis is a New Detection

Source: Cloudflare



Latest Posts

Pass It On
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *