Cloudflare vulnerability made every host accessible

A critical vulnerability in Cloudflare’s Web Application Firewall (WAF) gave attackers easy access to otherwise protected servers. Researchers at FearsOff discovered that requests via the /.well-known/acme-challenge/ directory were simply approved.

Fortunately, Cloudflare fixed the issue months ago. The vulnerability exploited the ACME (Automatic Certificate Management Environment) protocol, which automatically validates SSL/TLS certificates. Certificate Authorities determine the owner of a site by having websites offer a one-time token on the path /.well-known/acme-challenge/{token}.

Web administrators use this path to automatically hand over certificates. It is one of the advantages of using Cloudflare, as it eliminates the need for manual certificate updates.

Cloudflare disabled WAF functions for this specific path to allow certificates to be issued without friction. But a critical error occurred: if the requested token did not match a Cloudflare certificate order, the request bypassed the WAF evaluation and went directly to the client server. This made Cloudflare hosts vulnerable on a large scale.

Attack paths against frameworks

Several exploits from the researchers proved to be particularly interesting to attackers. Everything from database credentials to API and cloud tokens could be found thanks to the vulnerability.

PHP applications with local file inclusion vulnerabilities became exploitable, allowing attackers to access the file system via malicious path parameters. FearsOff created demonstration hosts such as cf-php.fearsoff.org to show that normal requests called up block pages, but ACME path requests returned responses from the origin server.

Quick response and permanent fix

FearsOff reported the vulnerability on October 9 via Cloudflare’s HackerOne bug bounty program. Cloudflare began validation on October 13, after which HackerOne triaged the issue on October 14. The company implemented a permanent fix on October 27 by modifying the code: security features are now only disabled when requests match valid ACME HTTP-01 challenge tokens for the specific hostname.

Post-mortem tests confirm that WAF rules now apply uniformly to all paths, including the previously vulnerable ACME challenge path. Cloudflare states that no action is required from customers and confirms that no evidence of actual exploitation “in the wild” has been found.

Cloudflare vulnerability made every host accessible

Attack paths against frameworks

Quick response and permanent fix

Stay tuned, subscribe!

Is the AWS European Sovereign Cloud sovereign enough?

How does agentic ops transform IT troubleshooting?

ClickHouse, the open-source challenger to Snowflake and Databricks

Linux 6.19 hits speed bump before final release

In-depth conversation about Agentforce IT service and how it wants to change the ITSM market

From MSP to MIP: Pax8's vision for Managed Intelligence Providers

SAP's AI migration tools from ECC to S/4HANA: faster and cheaper ERP transitions

NetSuite founder reveals AI transformation 5 years in the making

Professional print materials for European tech events, why booth design still makes the difference

AI audit trails: the next step toward responsible AI for businesses

6 predictions for the AI economy: 2026’s new rules of cybersecurity

Cybersecurity in 2026 demands managing human behavior and agentic AI

Rocket Fuel Factory

Appdevcon

Webdevcon

Dutch PHP Conference

De IT Afdeling van de toekomst

GITEX ASIA 2026

Experience Synology’s latest enterprise backup solution

How to choose the right Enterprise Linux platform?

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices