Cloudflare has released new Web Application Firewall (WAF) rules to enhance security for its customers by addressing critical vulnerabilities in SmarterMail. The updates specifically target two key vulnerabilities: Arbitrary File Upload (CVE-2025-52691) and Authentication Bypass (CVE-2026-23760).
1. SmarterMail Arbitrary File Upload (CVE-2025-52691): This vulnerability allowed attackers to upload malicious files to a server, potentially leading to remote code execution or system compromise. Cloudflare's new WAF rules now detect and block attempts to exploit this flaw, preventing unauthorized file uploads.
2. SmarterMail Authentication Bypass (CVE-2026-23760): This issue allowed attackers to bypass normal authentication mechanisms, gaining unauthorized access to the application or its resources. The updated WAF rules enforce stricter validation and block attack patterns that attempt to exploit this weakness.
These rule updates demonstrate Cloudflare's commitment to proactive security measures, protecting users from emerging threats targeting known vulnerabilities. Customers using Cloudflare's WAF will benefit from improved protection against these specific SmarterMail security flaws without needing manual intervention.
In summary, Cloudflare's new WAF rules address serious security risks in SmarterMail software by blocking Arbitrary File Upload and Authentication Bypass attacks. This enhancement helps ensure safer web applications and environments for Cloudflare's customers.
Original tweet: https://twitter.com/Cloudforce_One/status/2029009810436550796