A seemingly innocuous certificate validation path became a hidden gateway past Cloudflare's Web Application Firewall (WAF), security researchers disclosed this week. The vulnerability allowed attackers to reach protected web servers even when strict blocking rules were in place—turning a maintenance corridor into an unguarded entrance.
The flaw centered on /.well-known/acme-challenge/, a URL path used by certificate authorities to verify domain ownership during SSL/TLS certificate issuance. FearsOff researchers discovered that requests targeting this path bypassed customer-configured WAF rules entirely, granting direct access to origin servers that should have been unreachable.
"The WAF stepped aside, and the origin answered with its own voice," the researchers wrote in their technical disclosure. "That single change in who was speaking—Cloudflare interstitial vs. origin framework—was the tell."
How a Robot's Hallway Became a Side Door
The vulnerability exploited Cloudflare's internal logic for handling ACME HTTP-01 challenges. When serving certificate validation tokens, Cloudflare temporarily disabled certain security features to prevent interference with automated certificate issuance.
The problem emerged when the system also disabled these protections for requests to the ACME path that weren't actually being served by Cloudflare—allowing them to pass through to customer origins unchecked.
FearsOff demonstrated the impact across multiple application frameworks. On Spring/Tomcat servers, attackers accessed sensitive actuator endpoints containing database credentials and API tokens via path traversal.
Next.js applications leaked server-side configuration data. PHP applications became vulnerable to local file inclusion attacks, allowing attackers to read system files such as/etc/hosts.
Most concerning: account-level WAF rules were completely ignored for these paths. Headers that should have triggered blocks sailed through, potentially exposing applications to SQL injection, server-side request forgery, and cache poisoning attacks—any vulnerability that relied on the WAF as a defensive layer.
The Fix and What It Means
Cloudflare deployed a patch on October 27, 2025, just two weeks after validation. The fix ensures security features only disable when requests match valid ACME tokens for the specific hostname being challenged. The company confirmed no evidence of active exploitation exists.
The researchers highlighted an unsettling trend: AI-powered attack tools could rapidly enumerate and exploit such bypasses at scale. "As origins become directly addressable, the race between AI attackers and defenders intensifies," they warned.
For organizations running applications behind Cloudflare, the incident underscores a critical principle: never assume perimeter defenses are absolute.
Security researchers recommend implementing defense-in-depth strategies, including origin-level authentication, strict input validation, and regular security audits of exposed endpoints—even maintenance paths that seem benign.
The quiet path meant for certificate robots turned out to be anything but routine.