In October 2025, a significant vulnerability was discovered in the Cloudflare Web Application Firewall (WAF) that allowed attackers to bypass the protection entirely using the ACME certificate path. This flaw exposed every host protected behind Cloudflare's WAF, highlighting the risks of relying on default or unconfigured WAF settings. The key lesson from this event is that simply installing a WAF is not enough; it requires careful configuration and rule tuning to be effective. Attackers exploited the ACME certificate path, which is typically used for automated certificate management, to circumvent the security controls enforced by Cloudflare's WAF. To mitigate such risks, security practitioners often deploy other WAFs like ModSecurity or AWS WAF with custom rules tailored to their specific environments and threats. This case serves as a reminder that maintaining robust web application security demands continuous monitoring, regular updates, and active management, rather than a 'set and forget' approach to WAF deployment.
For more details, check out the original tweet here: https://twitter.com/warrigodson0/status/2041447252304990586