A critical zero-day vulnerability was found in Cloudflare’s Web Application Firewall (WAF) that allowed attackers to sneak past security protections and directly reach protected origin servers.
Security researchers at FearsOff discovered that requests sent to a specific system path were able to reach the origin server even when all other traffic was blocked by WAF rules.
This happens because of how the ACME protocol works. ACME is used to automatically issue and renew SSL/TLS certificates. To confirm that a website owns a domain, Certificate Authorities (CAs) check for a temporary file placed at a fixed location on the website.