Default web application firewall (WAF) rules fail to block more than half of major CVE exploits, according to a study conducted by Miggo Security.The company tested leading WAF platforms against more than 360 CVE exploits, specifically focusing on application-layer vulnerabilities that have already been actively targeted in the wild. The CVEs tested were published between January 2024 and October 2025.Each solution was tested in environments using recommended security settings with standard traffic-handling configurations and strict default WAF rules enabled. Vendor-managed rule sets, including any available CVE-specific rules, were also enabled.Miggo Security did not name the platforms tested, noting that the research was meant to highlight weaknesses across the ecosystem rather than compare specific solutions. The company tested known exploits for the vulnerabilities against the WAF-protected test environments, using automated exploit-generation tools to create additional payload mutations.The results revealed that the “out-of-the-box” WAF deployments only blocked 48% of the CVE exploits. “In practical terms, this indicates that even within a dataset that is largely WAF-able (roughly ~80%), a substantial portion of vulnerabilities that could be mitigated at the WAF layer were not blocked under standard operation,” the report stated.
Related reading:
Miggo’s report further noted the fact that the leading WAF vendors study took an average of 41 days to publish CVE-specific rules after the vulnerability was disclosed, representing a significant gap when threat actors frequently begin developing exploits and targeting applications within days or hours.This urgency is highlighted by the ongoing fallout from the React2Shell vulnerability, a maximum severity vulnerability in React Server Components that was exploited by Chinese-nexus threat actors within hours of public disclosure, as reported by AWS researchers on Dec. 4.The report noted additional challenges when using conventional out-of-the-box WAF configurations, as organizations seek to balance security with efficiency and productivity. Default rules are environment-agnostic and apply broadly across incoming traffic in a way that can trigger false positives, blocking legitimate traffic even when sophisticated exploits can slip through, Miggo noted. This may lead organizations to apply less strict rules to avoid significant disruption.Additionally, even vendor-supplied CVE-specific rules may fail to block exploits when attackers leverage automated methods, including AI, to produce unique exploit variants that are no longer detected by these rules.
Developing rules that effectively address major CVEs, while avoiding false positives, is time and labor-intensive, and impractical for many organizations as the number of published CVEs continues to rise each year. More than 40,000 CVEs have been published so far in 2025, Miggo noted, with CVE volumes on pace to exceed 50,000 in 2026.Despite these difficulties, WAFs remain an essential protection layer, Miggo Security says. According to the company, runtime-aware and AI-driven rule generation can help address challenges highlighted in the report, increasing tailored CVE exploit coverage without relying on manual rule development.“Runtime augmentation provides the necessary intelligence and automation to finally transform the WAF into a reliable, high-confidence defense layer for all critical CVEs, not just reactive, one-off fixes,” Andy Ellis, former CISO at Akamai, said in a statement accompanying the report’s release.
Exposure management, Threat Management, Vulnerability Management, Patch/Configuration Management, Firewalls, Routers
Default WAF rules fail to block most major exploits, study finds
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds