Cybersecurity and application delivery solutions provider Radware has clarified that the vulnerabilities disclosed last week were addressed back in 2023.
An advisory published on May 7 by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University revealed that the Radware Cloud Web Application Firewall (WAF) was vulnerable to a couple of filter bypass methods that could allow threat actors to conduct attacks without being blocked by the firewall.
The advisory describes CVE-2024-56523 and CVE-2024-56524, which could have been exploited to bypass the Radware Cloud WAF using specially crafted HTTP requests.
One method involved adding random data in the request body with an HTTP GET method. The second method involved adding a special character to the request, which caused the firewall to fail to filter the request and allowed various types of payloads to pass through to the underlying web application.
Researcher Oriol Gegundez has been credited for reporting these issues to the vendor.
CERT/CC indicated that the vulnerabilities have been fixed, but noted that “Radware had not acknowledged the reporter’s findings when they were initially disclosed”. In addition, CERT/CC said it had not received any statement from the vendor.
Radware also did not respond to SecurityWeek’s request for clarifications when contacted last week.
On Sunday, two days after SecurityWeek covered the vulnerabilities, Radware reached out to clarify that both issues mentioned in the CERT/CC advisory were addressed by its R&D team shortly after they were reported to the company in 2023.
“One issue was immediately resolved upon notification, as it did not impact customers’ solution configuration,” Radware explained. “Resolution of the second issue included releasing and applying a signature globally to all Radware customers and cloud applications. In addition, we provided corresponding configuration guidelines which weren’t enforced globally due to required input from individual customers. For that reason, the configuration update has been made available to customers upon request.”
“We appreciate the responsible disclosure from the reporter and are committed to evolving the security of our solutions,” the company said.
Related: RSA Conference 2025 Announcement Summary
Related: macOS Sequoia Update Fixes Security Software Compatibility Issues
Related: ESET Vulnerability Exploited for Stealthy Malware Execution