Cloudflare ACME HTTP-01 WAF bypass security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Cloudflare's ACME HTTP-01 validation flaw let requests to `/.well-known/acme-challenge/*` bypass WAF protections and reach origin servers. Cloudflare said it fixed the issue on October 27, 2025 after FearsOff reported it in October 2025, and it found no evidence of malicious exploitation.
Related Happenings
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
Campaign
First: 29.01.2026 16:55
Last: 29.01.2026 16:55
Sources 1
About this happening:
The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
CampaignAbout this happening: The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Latest development: 20.03.2026 02:49
The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.
Cloudflare BGP route leak from router policy misconfiguration disrupts IPv6 traffic
Service Disruption
First: 26.01.2026 19:50
Last: 26.01.2026 19:50
Sources 1
About this happening:
**Cloudflare** experienced a **25-minute BGP route leak** that disrupted **IPv6 traffic**, causing congestion, packet loss, and about **12 Gbps** of dropped traffic. The issue ext...
Cloudflare BGP route leak from router policy misconfiguration disrupts IPv6 traffic
Service DisruptionAbout this happening: **Cloudflare** experienced a **25-minute BGP route leak** that disrupted **IPv6 traffic**, causing congestion, packet loss, and about **12 Gbps** of dropped traffic. The issue ext...
Exposed security-training web apps exploitation wave
Exploitation Wave
First: 21.01.2026 16:00
Last: 21.01.2026 16:00
Sources 1
About this happening:
**DVWA**, **OWASP Juice Shop**, **Hackazon**, and **bWAPP** instances exposed in cloud environments are being **actively exploited**, putting **Fortune 500 companies** and securit...
Exposed security-training web apps exploitation wave
Exploitation WaveAbout this happening: **DVWA**, **OWASP Juice Shop**, **Hackazon**, and **bWAPP** instances exposed in cloud environments are being **actively exploited**, putting **Fortune 500 companies** and securit...
Publicly exposed training apps as recurring cloud-entry risk across security vendors
Target Trend
First: 21.01.2026 16:00
Last: 21.01.2026 16:00
Sources 1
About this happening:
**Cybersecurity training apps** left exposed on the public Internet are creating a recurring **cloud-entry risk** for **security vendors and enterprise users**. A scan identified...
Publicly exposed training apps as recurring cloud-entry risk across security vendors
Target TrendAbout this happening: **Cybersecurity training apps** left exposed on the public Internet are creating a recurring **cloud-entry risk** for **security vendors and enterprise users**. A scan identified...
Kimwolf botnet infects Android TV streaming boxes for DDoS and proxy abuse
Malware Activity
First: 09.01.2026 01:23
Last: 09.01.2026 01:23
Sources 1
About this happening:
**Kimwolf/Aisuru botnet** activity now spans **Android TV streaming devices** and **record-setting DDoS attacks**. Cloudflare says the latest campaign, **“The Night Before Christm...
Kimwolf botnet infects Android TV streaming boxes for DDoS and proxy abuse
Malware ActivityAbout this happening: **Kimwolf/Aisuru botnet** activity now spans **Android TV streaming devices** and **record-setting DDoS attacks**. Cloudflare says the latest campaign, **“The Night Before Christm...
Latest development: 20.03.2026 10:05
Authorities from the United States, Germany, and Canada disrupted Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets to infect Internet of Things (IoT) devices and launch hundreds of thousands of DDoS attacks, including attacks against IP addresses owned by the Department of Defense Information Network (DoDIN).
Timeline
-
20.01.2026 13:12 2 articles · 4mo ago
Cloudflare ACME HTTP-01 WAF bypass security flaw
Initial DisclosureIn **October 2025**, a flaw in **Cloudflare's ACME HTTP-01** handling was identified after requests to the challenge path were found to route in ways that could bypass **WAF** controls. The issue was then fixed on **October 27, 2025**.
Show sources
- Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers — thehackernews.com — 20.01.2026 13:12
- Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers — thehackernews.com — 20.01.2026 13:12