Cloudflare's Automatic Certificate Management Environment (ACME) implementation contained a vulnerability in the HTTP-01 challenge validation process. ACME, defined by RFC 8555, automates SSL/TLS certificate issuance by validating domain ownership through challenges served at a specific HTTP path: /.well-known/acme-challenge/<token>. Cloudflare intercepts these requests for domains it manages and disables WAF protections to allow certificate authorities (CAs) to validate tokens without interference. However, the flawed logic failed to verify if the token in the request matched an active challenge for the requested hostname. If the token was associated with a different zone not managed by Cloudflare, the request bypassed WAF protections and was forwarded directly to the origin server. This allowed attackers to send arbitrary requests to the origin server via the ACME challenge path, effectively bypassing security controls designed to protect the origin. The vulnerability was discovered by security researcher Kirill Firsov of FearsOff in October 2025 and patched by Cloudflare on October 27, 2025. The fix restricts WAF bypass to only those requests matching valid ACME tokens for the hostname, restoring intended protections. While no malicious exploitation has been observed, the flaw could have enabled attackers to access sensitive files on origin servers, conduct reconnaissance, and potentially prepare for further attacks. The vulnerability affects all Cloudflare customers using the ACME HTTP-01 challenge mechanism, particularly those relying on Cloudflare's edge network for certificate management and WAF protections.

For European organizations, this vulnerability poses a risk of unauthorized access to origin servers behind Cloudflare's protections. Attackers could bypass WAF rules, potentially exposing sensitive internal resources, configuration files, or application data. This could lead to information disclosure, aiding further targeted attacks or data breaches. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on Cloudflare for SSL/TLS certificate management and WAF services are particularly vulnerable. The ability to bypass WAF protections undermines a key security layer, increasing the attack surface. Although exploitation requires knowledge of the ACME challenge path and token manipulation, no authentication or user interaction is needed, making exploitation feasible for remote attackers. The vulnerability's low reported severity by Cloudflare may underestimate the risk in environments with sensitive data or strict compliance requirements. Prompt patching and validation of WAF configurations are essential to prevent potential reconnaissance and data exposure.

European organizations should immediately verify that their Cloudflare services are updated with the October 27, 2025 patch that corrects the ACME validation logic. They should audit WAF configurations to ensure that rules are properly enforced on the /.well-known/acme-challenge/* path and that WAF bypass only occurs for legitimate, validated ACME tokens. Implement monitoring and alerting for unusual or unexpected requests to the ACME challenge path to detect potential exploitation attempts. Where possible, restrict access to origin servers by IP whitelisting or additional authentication layers to reduce exposure if WAF bypass occurs. Consider using DNS-01 ACME challenges instead of HTTP-01 to avoid reliance on HTTP path validation. Conduct penetration testing simulating this attack vector to confirm that WAF protections are effective. Maintain strict logging and incident response readiness to quickly identify and respond to suspicious activity related to certificate validation paths.