November Security Research Update: Newly Released Attack Signatures
Executive Summary Recent disclosures have introduced a wide range of vulnerabilities across major ecosystems, including critical pre-authentication RCEs, deserialization flaws, SQL injection vectors, path traversal issues, and several authentication-bypass techniques. In response, the Security Research Team published targeted CVE signatures and refined numerous general protections to address bypass attempts and new exploitation patterns. While several November releases included targeted CVE-focused signatures, F5’s WAF protections extend far beyond CVE coverage. Our signatures are designed to stop classes of attacks, block bypass techniques, and detect real-world exploitation behaviors that are not tied only to a specific CVE. The sections below highlight the most significant protections added this month. New Attack Signatures Oracle Identity Manager Pre-Auth RCE - CVE-2025-61757 This critical pre-auth RCE (CVSS 9.8) in Oracle Identity Manager is highly attractive for mass exploitation due to public PoCs. Researchers discovered a bypass in the product’s security filter, which whitelisted any endpoint ending in .wadl to allow access to API specification files. Because getRequestURI() function in Java returns the URI without query parameters but preserves matrix parameters, appending ;.wadl to any path and bypass authentication. Using this auth bypass, they reached an endpoint that compiles Groovy code. While compilation alone seems harmless, the @ASTTest annotation allowed code execution during compilation, resulting in a full pre-auth RCE. We have released a new attack signature, Signature ID 200204047, to block any malicious request trying to exploit this vulnerability. OAuth2-Proxy Header Smuggling Vulnerability - CVE-2025-64484 Smuggling issues continue to resurface across ecosystems. This release adds coverage for a high-severity OAuth2-Proxy vulnerability (CVSS 8.5) that enables request manipulation and potential privilege escalation via the X-Forwarded-For header. Although OAuth2-Proxy removes the standard X-Forwarded-For, it fails to strip underscored variants (e.g., X_Forwarded_For). Some backend servers treat these as equivalent to the hyphenated header, enabling header smuggling and bypassing proxy mitigations. A similar issue appeared a decade ago in CVE-2015-0219 (WSGI header spoofing) with X-Auth headers, which is already mitigated by signature 200013001. We have released a new attack signature, Signature ID 200013145, to block any malicious request trying to exploit this vulnerability. Monsta FTP Remote Code Execution - CVE-2025-34299 Monsta FTP servers exposed to the internet have long been a common target for attackers. In this new exploit, attackers abuse the downloadFile function to pull files from an attacker-controlled SFTP server directly onto the Monsta FTP host. This effectively enables arbitrary file uploads (including malicious payloads) which can then be executed to achieve full remote code execution. We have released a new attack signature, Signature ID 200020235, to block any malicious request trying to exploit this vulnerability. Chef Automate SQL Injection - CVE-2025-8868 A high-risk SQL injection vulnerability was discovered by Xbow: an AI-based security researcher. Xbow identified a default token exposed in a GitHub repository, authenticated with it, and accessed previously protected API endpoints. One of these endpoints, a search API that accepted a filters array, was vulnerable to SQL injection and leaked PostgreSQL error details. and the CVE signature We have released a new attack signature, Signature ID 200102194, to block any malicious request trying to exploit this vulnerability. WSUS Unauthenticated RCE - CVE-2025-59287 This high-severity vulnerability stems from insecure deserialization via SoapFormatter. By sending an SOAP document containing a serialized malicious object in the MiscData tag, the server performs deserialization without any additional validation, leading to remote code execution. We have released a new attack signature, Signature ID 200204044, to block any malicious request trying to exploit this vulnerability. Magento RCE - CVE-2025-54236 Magento’s deserialization mechanism is quite unique, and its nested deserialization has previously led to the critical CVE-2024-34102 (mitigated by F5’s attack signature 200018190). In this vulnerability, the researchers managed to override the file path where serialized sessions are stored. Combined with an existing file-upload feature, this makes the application deserialize a malicious PHP object, ultimately achieving an unauthenticated RCE. We have released a new attack signature, Signature ID 200204046, to block any malicious request trying to exploit this vulnerability. Fortinet FortiWeb Path Traversal - CVE-2025-64446 This high-severity vulnerability is a path traversal chained with an authentication bypass. The path traversal allowed the attackers to access /cgi-bin/fwbcgi, which is a CGI executable that allowed them to impersonate a high-privilege user and carry out privileged operations. and the CVE signature We have released a new attack signature, Signature ID 200007106, to block any malicious request trying to exploit this vulnerability. WSO2 API Manager Authentication Bypass - CVE-2025-10611 Matrix parameters trick to bypass authentication, once again. The developers relied on a regex to block access to certain endpoints. The researcher discovered multiple bypasses, including one that abuses the fact that access to URLs ending with /.well-known/openid-configuration is whitelisted. Here, appending ;/.well-known/openid-configuration didn’t bypass the filter, because the regex explicitly blocks; followed by / (due to previous CVE on this product). The researcher instead used ;%2F.well-known%2Fopenid-configuration. This works because the URI gets decoded only after the regex check, allowing the bypass to succeed. Figure 3: CVE-2025-10611 exploitation attempt blocked by F5 WAF We have released a new attack signature, Signature ID 200013143, to block any malicious request trying to exploit this vulnerability. Triofox Authentication Bypass - CVE-2025-12480 By simply setting the Host header to localhost, attackers were able to bypass access-control checks and reach internal functionality within AdminAccount.aspx. This allowed them to create an admin user on the system and ultimately abuse the Triofox anti-virus feature to upload and execute malicious payloads. We have released a new attack signature, Signature ID 200013144, to block any malicious request trying to exploit this vulnerability. In general, you can block any requests containing Host header with a localhost value in the Big IP by turning on the illegal host name violation. Conclusions The vulnerabilities covered in this release largely stem from recurring patterns: inconsistent request parsing, unsafe deserialization paths, regex-based filters that miss normalization edge cases; and trust in controllable headers or parameters. These weaknesses enabled attackers to chain simple bypasses into high-impact outcomes such as pre-auth RCE, SQL injection, path traversal, and privilege escalation, often aided by publicly available PoCs. In response, we added CVE-specific signatures and refined general protections to better detect smuggling behavior, deserialization abuse, traversal attempts, and other techniques observed in real-world traffic. To maximize protection, we recommend reviewing your current security policy to ensure the relevant signature sets are enabled for your applications, and follow best practices. Stay safe. See you in the next update.
