Emergency WAF Update: New Vulnerability Protections

Cloudflare has released an emergency WAF update addressing critical vulnerabilities in Ivanti Endpoint Manager Mobile and a newly discovered XSS injection vector in HTTP CSP headers.

Ivanti Endpoint Manager Mobile (EPMM) RCE - CVE-2026-1281 & CVE-2026-1340

The Ivanti EPMM vulnerabilities stem from unsafe processing of HTTP requests through Apache RewriteMap directives that pass user-controlled input to Bash scripts without proper sanitization. Attackers can exploit shell arithmetic expansion in /mi/bin/map-appstore-url and /mi/bin/map-aft-store-url endpoints to achieve unauthenticated remote code execution.

A new detection rule (...796ea2f6) has been deployed to identify and block these exploitation attempts with an immediate action of Block (previously Log).

Content-Security-Policy (CSP) Header XSS Injection

A novel XSS detection rule (...ee964a8c) now identifies malicious payloads embedded in the Content-Security-Policy request header. This vulnerability affects applications that trust and extract CSP header values without sufficient validation. Attackers can inject crafted header values containing malicious scripts or directives that are processed server-side. In cached environments, poisoned XSS content can propagate to all site visitors.

Action Required

Both new rules are automatically active in the Cloudflare Managed Ruleset with Block action enabled. Customers using the WAF should verify traffic patterns to ensure legitimate requests aren't being blocked by these new protections.