Ddos 
A newly disclosed vulnerability note by CERT/CC reveals two security flaws (CVE-2024-56523, CVE-2024-56524) in the Radware Cloud Web Application Firewall (WAF) that allow attackers to bypass its filtering mechanisms and directly target protected web applications. The vulnerabilities were responsibly reported by Oriol Gegundez.
In an unexpected behavior for a firewall, the first vulnerability involves bypassing the WAF by including a body in a GET request—a method that typically doesn’t include one.
“If random data is included in the HTTP request body with a HTTP GET method, WAF protections may be bypassed,” CERT/CC explains.
While unusual, this edge case can be used by attackers to smuggle malicious payloads past the firewall’s inspection layers.
The second vulnerability results from inadequate validation of special characters: “The firewall fails to filter these requests and allows for various payloads to reach the underlying web application.”
This oversight gives attackers a foothold to insert dangerous payloads—like XSS, SQLi, or command injections—through what should be a filtered request channel.
CERT/CC emphasizes: “An attacker with knowledge of these vulnerabilities can bypass filtering. This allows malicious inputs to reach the underlying web application.”
By circumventing WAF logic, adversaries can operate as if no firewall exists—sending in exploitation scripts, malware delivery chains, or probing inputs unchecked.
Though the vulnerabilities “appear to be fixed,” the report notes a lack of official acknowledgement from Radware when the issues were first disclosed.