Cloudflare has resolved a significant security vulnerability within its Automatic Certificate Management Environment (ACME) validation logic. The flaw, discovered in October 2025, could have allowed unauthorized access to origin servers by bypassing critical security controls. Fortunately, Cloudflare stated it has found no evidence of malicious exploitation.
Cloudflare Addresses ACME Validation Logic Vulnerability
The vulnerability stemmed from how Cloudflare’s edge network processed requests aimed at the ACME HTTP-01 challenge path, specifically the /.well-known/acme-challenge/* directory. This protocol is foundational for automatically issuing, renewing, and revoking SSL/TLS certificates, ensuring secure communication across the web.
ACME, standardized in RFC 8555, relies on domain ownership validation. Typically, an ACME client, such as Certbot, uses either an HTTP-01 or DNS-01 challenge to prove control over a domain. The HTTP-01 challenge involves placing a specific token and key fingerprint at a designated URL on the web server, which a Certificate Authority (CA) then accesses to verify ownership.
When a certificate order is managed by Cloudflare, the company intercepts these challenge requests. If the request matches an active challenge within Cloudflare’s system, the company serves the necessary token. However, if the request does not align with a Cloudflare-managed order, the traffic is intended to be routed to the customer’s origin server for their own validation processes.
Flaw in WAF Logic Enabled Bypass
The core of the ACME validation logic vulnerability lay in a flawed implementation that inadvertently disabled Web Application Firewall (WAF) rules for certain challenge requests. According to Cloudflare engineers Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo, the system failed to properly verify if the token presented in an incoming request actually corresponded to an active challenge for that specific hostname.
This failure meant that an authenticated request to the ACME challenge path could circumvent WAF protections entirely, granting attackers a pathway to reach the origin server. Cloudflare explained that WAF features are typically disabled during ACME challenge responses to prevent interference with the CA’s validation process, which is crucial for automated certificate orders and renewals.
However, in the scenario where the ACME challenge token was associated with a different zone not directly managed by Cloudflare, the flawed logic allowed the request to proceed to the customer’s origin without undergoing the necessary WAF inspections. This potentially exposed sensitive information or allowed for other malicious actions.
Kirill Firsov, founder and CEO of FearsOff, the security firm that discovered and reported the vulnerability in October 2025, highlighted its potential impact. He noted that a malicious actor could exploit this flaw to obtain a deterministic, long-lived token and subsequently gain access to sensitive files on the origin server across various Cloudflare-hosted domains, facilitating wide-ranging reconnaissance.
Cloudflare addressed the vulnerability on October 27, 2025, with a code update. The fix ensures that WAF features are only disabled when a request precisely matches a valid ACME HTTP-01 challenge token for that specific hostname, thereby reinforcing security for all origin servers protected by their infrastructure.
Moving forward, companies utilizing Cloudflare’s services should remain vigilant regarding security updates and best practices for certificate management. While Cloudflare has implemented a fix, the ongoing evolution of web security threats necessitates continuous monitoring and proactive security measures to protect against potential exploitation of complex systems like ACME validation.