VTA-004553 – Cloudflare WAF Zero-Day Allowed Origin Server Bypass

Security researchers uncovered a critical zero-day flaw in Cloudflare’s Web Application Firewall that allowed attackers to bypass security controls and directly reach protected origin servers. The issue exploited a special certificate validation path used by the ACME protocol, which automates SSL/TLS certificate issuance.

The vulnerability centered on requests sent to the /.well-known/acme-challenge/ directory. This path is normally reserved for HTTP-01 domain validation, where certificate authorities check for a specific token to confirm domain ownership. While intended to serve only a single validation file to trusted certificate bots, the path was mistakenly treated as a broad exception within Cloudflare’s edge network.

Researchers found that any request sent to the ACME challenge path bypassed all WAF inspection if the token did not match an active Cloudflare-managed certificate order. Instead of being blocked, these requests were forwarded directly to the origin server, exposing applications that were otherwise inaccessible from the public internet.

Testing across multiple frameworks confirmed the impact. Spring and Tomcat applications were vulnerable to servlet path traversal attacks that exposed sensitive actuator endpoints. Next.js server-side rendering applications leaked internal operational data through direct origin responses. PHP applications with local file inclusion flaws became exploitable, allowing attackers to access arbitrary files. Additionally, account-level WAF rules relying on custom headers were completely ignored for ACME path traffic.

The flaw was reported responsibly, validated by Cloudflare, and permanently fixed by tightening the logic to disable WAF features only for valid, hostname-specific ACME challenge tokens. Post-fix testing confirmed that WAF rules now apply consistently across all request paths.

Severity:
Medium

Attack Surface:
Cloud Service, Infrastructure, Web Application

Tactics:
Defense Evasion, Discovery, Execution, Initial Access

Techniques:
T1190 Exploit Public-Facing Application
T1562 Impair Defenses
T1046 Network Service Discovery
T1083 File and Directory Discovery

References:
1. https://fearsoff.org/research/cloudflare-acme

SuperPRO’s Threat Countermeasures Procedures:
1. Enforce Strict Path Validation Ensure that any security bypass for administrative or maintenance paths is only granted if the request matches a known, active, and cryptographically signed token.
2. Implement Origin Access Control Lists Configure origin servers to only accept traffic from specific, verified IP ranges belonging to the WAF provider to prevent direct internet exposure.
3. Monitor Anomalous ACME Traffic Set up alerts for high volumes of 404 errors or unusual URL patterns targeting the /.well-known/acme-challenge/ directory.
4. Sanitize Inputs at the Application Level Maintain robust internal security practices like input sanitization to prevent path traversal even if the outer firewall layer is compromised.
5. Adopt a Zero Trust Architecture Do not rely solely on edge protection. Ensure that sensitive internal endpoints like Spring Actuators or administrative panels require secondary authentication.
6. Regularly Audit Exception Logic Periodically review “allow-list” rules and automated bypasses within infrastructure code to ensure they do not inadvertently create broad security gaps.

Contributed by: Fatini