WAF Weekly: HTTP/2 Bomb Hits Servers, Magento Under Fire, June 2-6 2026
AI-discovered HTTP/2 Bomb exploit downs servers in seconds. Magento cache warmer flaw hits CISA KEV. WordPress eval() RCE under active exploitation. Gartner SRM pivots to resilience. Fortinet and Palo Alto ride AI security wave.
HTTP/2 Bomb: One Laptop, 32 GB of Server Memory Gone in 20 Seconds
The biggest story this week is the HTTP/2 Bomb, a denial-of-service exploit that chains two decade-old attack techniques into something far more dangerous than either alone. Discovered by security firm Calif using OpenAI's Codex agent, the attack combines an HPACK compression bomb with a Slowloris-style connection hold. The result: a single home computer on a 100 Mbps connection can render a vulnerable server inaccessible within seconds.
Affected servers include NGINX (patched in 1.29.8), Apache HTTPD (patched in mod_http2 v2.0.41), Microsoft IIS, Envoy, and Cloudflare Pingora. IIS, Envoy, and Pingora remain unpatched at time of writing. Over 880,000 websites running default configurations are potentially exposed.
WAFplanet take: This is a protocol-layer attack that sits below most WAF inspection. Traditional rule-based WAFs will not catch it because the HTTP headers themselves look normal. The defense here is infrastructure hardening: upgrade your web server, set header count limits, or fall back to HTTP/1.1 on exposed endpoints. If your WAF vendor runs on affected infrastructure, ask them directly about their patch status.
Magento Stores Hit by Mirasvit Cache Warmer Exploit
CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, giving federal agencies three days to patch. The flaw affects Mirasvit's Full Page Cache Warmer for Magento 2 and Adobe Commerce, all versions before 1.11.12. Researchers at Sansec documented how attackers exploit PHP object injection through unserialized CacheWarmer cookies to achieve remote code execution with no authentication required.
Imperva confirmed active exploitation shortly after public disclosure on May 26. Detection indicators include CacheWarmer cookies containing base64-encoded serialized objects.
WAFplanet take: Cookie-based deserialization attacks are exactly the kind of threat that a well-configured WAF should catch. If your Magento store runs behind a WAF, check whether your ruleset inspects cookie payloads for serialized PHP objects. ModSecurity CRS has rules for this pattern, but they need to be enabled.
WordPress Everest Forms Pro: Critical RCE Under Active Exploitation
CVE-2026-3300 (CVSS 9.8) allows unauthenticated remote code execution through the Everest Forms Pro plugin's Calculation add-on. The flaw abuses PHP's eval() function. Single quotes bypass sanitization, letting attackers break out and inject arbitrary PHP. Wordfence reported blocking over 29,300 exploit attempts since April 13, with a single surge on May 16 accounting for 17,900 blocks. The primary attack payload creates rogue admin accounts.
WPEverest released version 1.9.13 with a fix. Sites running earlier versions with the Complex Calculation feature enabled are exposed.
WAFplanet take: This is a textbook case for WordPress WAFs earning their keep. Wordfence, Patchstack, NinjaFirewall, and Sucuri all offer virtual patching that can block exploitation before plugin updates land. If you run WordPress with form plugins, a WAF is not optional.
Gartner SRM 2026: Resilience Replaces Prevention
The Gartner Security and Risk Management Summit this week shifted the conversation away from breach prevention as a success metric. The core message: prevention at scale is no longer achievable. CISOs should measure success by impact limitation, operational continuity, and recovery speed.
Four structurally advantaged attack categories dominated the agenda: deepfake identity impersonation, software supply chain compromise, prompt injection against AI systems, and AI-enabled attack acceleration. The common thread is that attacker execution costs are dropping faster than defender detection costs.
WAFplanet take: The "data layer as the only stable enforcement point" framing is worth paying attention to. As perimeter controls become negotiable and AI agents create new integration risks, WAF vendors that can inspect deeper than HTTP headers, and integrate with identity and data governance layers, will have an edge. Expect WAAP positioning to shift toward "resilience" messaging through the rest of 2026.
Fortinet and Palo Alto Post Strong Quarters on AI Security Push
Fortinet stock jumped 87.5% year-to-date, driven by its AI security product expansion. Palo Alto Networks reported a record quarter with 31% growth, lifting its full-year 2026 outlook. CEO Nikesh Arora told investors the company must "fight AI with AI" and took a jab at CrowdStrike's market position.
Zscaler went the other direction, dipping post-earnings despite meeting targets, as analysts flagged high investor expectations around annual recurring revenue growth.
WAFplanet take: The money is flowing into AI-augmented security. Both Fortinet and Palo Alto are investing heavily in AI-driven threat detection across their WAF and WAAP product lines. For buyers, the question is whether these AI capabilities deliver real detection improvements or just better marketing slides. We plan to test that in our upcoming efficacy benchmarks.
The Week Ahead
Three unpatched HTTP/2 Bomb targets (IIS, Envoy, Pingora) need fixes. The Magento exploitation window is wide open for stores that have not updated Mirasvit. And with Gartner setting the "resilience over prevention" tone, watch for WAF vendors to start repackaging their products around that narrative. We will be watching.
