Cybersecurity firm Radware has confirmed that the two vulnerabilities recently highlighted in a public disclosure were actually resolved nearly two years ago. The company addressed concerns raised in a May 7 advisory from the CERT Coordination Center (CERT/CC), which had warned that Radware’s Cloud Web Application Firewall (WAF) could be bypassed using specific HTTP tricks.
The vulnerabilities, tracked as CVE-2024-56523 and CVE-2024-56524, reportedly allowed attackers to slip malicious payloads past the firewall by sending specially crafted HTTP requests. One method involved embedding unexpected data in the body of a GET request, while the other used a special character that confused the firewall’s filtering engine.
However, Radware says there’s no need for alarm. The company responded this week to clarify that its internal R&D team had already patched both flaws after they were responsibly disclosed in 2023 by security researcher Oriol Gegundez.
According to Radware, the first flaw was resolved immediately, as it had no impact on standard customer configurations. For the second issue, the team developed a new global signature that was automatically applied to all customers using Radware’s cloud applications. In addition, configuration guidance was provided for cases that needed customer-specific input. Since not every client could apply the fix universally, Radware made those updates available upon request.
The CERT/CC advisory had mentioned that Radware hadn’t publicly acknowledged the researcher’s findings at the time of initial disclosure. The company also didn’t respond to inquiries last week when the story first broke. But Radware has now set the record straight.
“We appreciate the responsible disclosure from the reporter and are committed to evolving the security of our solutions,” Radware said in its statement.
While CERT/CC confirmed the vulnerabilities were patched, the lack of early communication may have caused confusion around the timeline. This incident highlights the importance of transparency in vulnerability handling—especially when dealing with products that form a core part of customers’ cybersecurity defenses.
