Cloudflare Zero-Day: Global WAF Bypass via ACME Validation Path

In late 2025, researchers at FearsOff Security uncovered a zero-day vulnerability in Cloudflare’s Web Application Firewall (WAF) that allowed external actors to bypass all access restrictions and directly connect to backend origin servers. The exploit leveraged the ACME certificate validation endpoint, specifically the URL path /.well-known/acme-challenge/{token}, which Cloudflare had designed to facilitate SSL/TLS certificate issuance. This routine automation mechanism inadvertently created a global exposure point, turning a maintenance path into a critical WAF bypass vector.

Severity: Moderate

Vulnerability Details

• Cloudflare’s infrastructure treated requests sent to the path /.well-known/acme-challenge/ differently from normal traffic.
• These requests bypassed the WAF’s rule engine to streamline SSL certificate validation through the ACME HTTP-01 protocol. As a result, even when customers blocked all external access, attackers could send crafted requests through this path and reach the true origin server – completely circumventing Cloudflare’s security filters.
• This behavior effectively broke Cloudflare’s trust boundary, moving control from the WAF layer (edge) to the origin layer (backend).

Proof Of Concept And Impact

Researchers demonstrated the issue using controlled Cloudflare-hosted demo environments:

1. Spring/Tomcat Applications:
   Using a path traversal quirk (..;/), attackers could reach /actuator/env and retrieve environment variables, API keys, and cloud credentials.
   → Result: Sensitive configuration leakage.
2. PHP Applications:
   Through parameter-based routing, attackers could exploit LFI (Local File Inclusion) vulnerabilities to read local files such as /etc/hosts.
   → Result: Potential server information disclosure.
3. Next.js Framework:
   Requests bypassing the WAF exposed server-side rendering data not meant for public visibility.
   → Result: Information leakage via internal rendering context.

In all cases, account-level WAF rules and custom headers (like X-middleware-subrequest) were ignored under this path, confirming that the entire WAF logic was skipped.

Broader Security Implications

The researchers emphasized that with the rise of AI-driven automated exploitation tools, such hidden bypasses could have been weaponized at scale.

AI-enabled scanners could rapidly detect and exploit .well-known endpoints across the internet, turning a single certificate-validation quirk into a mass exploitation vector.

Resolution And Fix

As of October 27, 2025, Cloudflare confirmed that all .well-known/acme-challenge/* paths now undergo standard WAF evaluation, restoring uniform protection and sealing the bypass.

Source:

• https://fearsoff.org/research/cloudflare-acme
• https://blog.cloudflare.com/acme-path-vulnerability/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.