A critical zero-day vulnerability in Cloudflare’s Web Application Firewall (WAF) allowed attackers to bypass security controls and directly access protected origin servers through a certificate validation path.
Security researchers from FearsOff discovered that requests targeting the /.well-known/acme-challenge/ directory could reach origins even when customer-configured WAF rules explicitly blocked all other traffic.
The Automatic Certificate Management Environment (ACME) protocol automates SSL/TLS certificate validation by requiring Certificate Authorities (CAs) to verify domain ownership.
In the HTTP-01 validation method, CAs expect websites to serve a one-time token at /.well-known/acme-challenge/{token}. This path exists on nearly every modern website as a silent maintenance route for automated certificate issuance.
The design intention limits this access to a single validation bot checking one specific file, not as an open gateway to the origin server.