A critical zero-day vulnerability in Cloudflare’s WAF allowed attackers to bypass security protections and access origin servers directly by exploiting a flaw in handling ACME certificate validation traffic. Cloudflare addressed the issue by updating its logic to restrict WAF disabling to valid challenge tokens only. #Cloudflare #ACMEChallenge
Keypoints
- The vulnerability was a logic error in how Cloudflare handled ACME validation requests at scale.
- Attackers could bypass the Web Application Firewall by sending requests to the ACME challenge path.
- Cloudflare’s fix involved restricting WAF disabling to valid challenge tokens matching specific hostnames.
- The flaw was discovered by researchers at FearsOff and reported through Cloudflare’s bug bounty program.
- There was no reported exploitation before Cloudflare patched the vulnerability on October 13, 2025.
Read More: https://thecyberexpress.com/cloudflare-zero-day-waf-bypass-acme/