The Airlock WAF protection can be completely bypassed by using overlong UTF-8character representations of the NUL character such as C0 80, E0 80 80 and F080 80 80. During the tests no internal knowledge of the WAF was known, but it is suspected that the UTF-8 decoder fails to reject the overlong NUL byte character representations and they get decoded as U+0000 later on. Further the WAF would not perform any checks for attack patterns after the NUL byte. Versions 4.2.4 and below are affected.
4500f9de8c3478095642ee54e1fc94fcf7d2f146d8b89ff5f68fd0fa5d527f81