A remote command injection vulnerability was found in Applicure's dotDefender WAF management console. The vulnerability allows an authenticated dotDefender manager to execute arbitrary commands on the protected server. Exploiting the vulnerability requires to first authenticate to the server, lowering its potential risk. Nevertheless, as the published exploit is detailed and allows attackers to actively exploit the vulnerability, immediate patching is recommended.

You can find the full details of the vulnerability as published on the full disclosure mailing list here, a follow up comment about potential CSRF here and Applicure's response and patch here.

While bugs can, does and will exist in WAF management interfaces just like in any other software, I would have expected a WAF management interface to be protected by the WAF itself.