A critical zero-day vulnerability in Cloudflare exposed a fundamental weakness in how security exceptions are handled at scale. The flaw allowed attackers to bypass Cloudflare’s Web Application Firewall (WAF) entirely and directly access protected origin servers by abusing a certificate validation endpoint. The issue was not caused by customer misconfiguration, but by a logic error in Cloudflare’s edge processing of ACME certificate validation traffic.
The vulnerability was discovered on October 9, 2025, by security researchers at FearsOff and reported through Cloudflare’s bug bounty program. At its core, the issue involved Cloudflare’s handling of requests to the ACME HTTP-01 challenge path: /.well-known/acme-challenge/*. This path is used by certificate authorities to verify domain ownership during automated SSL/TLS certificate issuance.
How the Cloudflare Vulnerability Worked
ACME (Automatic Certificate Management Environment) automates certificate lifecycle management by requiring a domain to respond with a specific token at a well-known URL. For Cloudflare-managed certificates, Cloudflare itself responds to these validation requests at the edge. To prevent legitimate certificate issuance from failing, Cloudflare intentionally disables certain WAF features on this path, since firewall rules can interfere with validation requests from certificate authorities.
The zero-day vulnerability emerged because Cloudflare’s logic disabled WAF protections for any request sent to the ACME challenge path, without verifying whether the token in the request matched an active certificate challenge for that hostname. If the token did not correspond to a Cloudflare-managed certificate order, the request was forwarded to the customer’s origin server with WAF protections still disabled.
This meant an attacker could send arbitrary requests to /.well-known/acme-challenge/* and bypass all customer-configured WAF rules, regardless of whether a valid certificate challenge existed. The ACME path effectively became a universal WAF bypass.
Cloudflare’s Confirmation and Technical Details
Cloudflare confirmed the issue in an official disclosure dated October 13, 2025, stating:
“Security researchers from FearsOff identified and reported a vulnerability in Cloudflare’s ACME (Automatic Certificate Management Environment) validation logic that disabled some of the WAF features on specific ACME-related paths.”
The company explained that when a request matched an active ACME challenge token, WAF features were disabled because Cloudflare directly served the response. However, the same behavior occurred when the token belonged to a different zone or an external certificate workflow. In those cases, the request should have remained subject to WAF inspection but was instead passed through to the origin unchecked.
This logic flaw created a direct path around Cloudflare’s security controls, allowing access to backend infrastructure that customers assumed was fully protected by the WAF.
Mitigation and Impact
Cloudflare mitigated the vulnerability by updating its edge logic so that WAF features are only disabled when a request matches a valid ACME HTTP-01 challenge token for the specific hostname and when Cloudflare has a challenge response to serve. All other requests to the ACME path are now processed normally through WAF rulesets.
According to Cloudflare, no customer action was required, and the company stated it was not aware of any malicious exploitation of the vulnerability before the fix.
