Over half of public vulnerabilities bypass web application firewalls
According to a new report 52 percent of public vulnerabilities bypass leading web application firewalls (WAFs). Yet over 91 percent of bypassed vulnerabilities can be mitigated when rules are tailored with AI for the actual vulnerability and application context instead of generic attack patterns.
The report from Miggo Security is based on analysis of a sample of 360+ CVEs for WAF testing across leading WAF vendors.
It finds that it takes 41 days on average for a CVE-specific WAF rule to be published by leading WAF vendors, while exploit code appears within hours. This mismatch defines the modern exposure window.
“WAFs are necessary, but they cannot win the AI-enabled zero-day race alone," says Daniel Shechter, CEO and co-founder of Miggo Security. "The 'React2Shell' vulnerabilities are the textbook example of why the old model fails. We have a CVSS 10.0 threat where the exploit lives in the complex deserialization logic of the 'Flight' protocol -- a place standard WAF signatures rarely look. The only way to close this 41-day gap is shifting from slow, generic signatures to fast, exploit-aware rules generated by runtime intelligence.”
The financial impact is significant too, $6 million in potential enterprise losses are estimated due to operational WAF deficiencies, annually for a mid-sized enterprise, because of the exposure window, unnecessary remediation costs, and false positives’ impact. An augmented approach can reduce these significant losses.
Julien Bellanger, former Imperva CMO, co-founder of RASP pioneer Prevoty and Miggo Security Board member, says, "The data in this report validates the uncomfortable truth we see daily: vulnerabilities are being weaponized faster than any manual process can handle. We know WAFs can be used as a critical mitigating control, cases like Cloudflare's effective initial response to the React2Shell vulnerability prove that. However, the moment a vulnerability is out in the wild, an arms race starts where AI attackers are faster than ever. The imperative now is to make WAFs smarter and more automated so security teams can trust them to reliably implement protection against the 99 percent of vulnerabilities that do (and don't) make headlines."
The full report is available on the Miggo site.
Image credit: Andreus/depositphotos.com
