Kurtosys Trust Center

We want to reassure our clients that a recently disclosed zero-day vulnerability in Cloudflare’s ACME validation logic has already been fully remediated by Cloudflare and has not and will not impact the security of our platform or our clients’ digital assets.

On 19 January 2026, Cloudflare published details of a vulnerability affecting how certain ACME HTTP-01 certificate validation requests to the following path were handled:

Under specific conditions, this behaviour could have resulted in Cloudflare Web Application Firewall (WAF) protections being bypassed during certificate validation.

---

Cloudflare Remediation Status

Cloudflare has fully patched the issue through a code change that ensures WAF and associated security controls remain enforced, except where explicitly required for legitimate ACME challenge responses.

• The fix has been globally deployed
• No customer action was required
• Cloudflare has confirmed there is no evidence of exploitation in the wild

Reference:
https://blog.cloudflare.com/acme-path-vulnerability/

---

Our Platform Architecture and Client Impact

We operate a defence-in-depth security architecture that further mitigates risks of this nature.

Our controls include:

• Origin-restricted access
  Our origin systems are configured to only accept inbound traffic from dedicated, whitelisted Cloudflare IP ranges under our control.

• External traffic blocked by design
  Any traffic originating from non-approved or external IP addresses is blocked at the network layer and cannot reach our application infrastructure.

Because of this architecture, and Cloudflare’s timely remediation, our clients were never exposed to risk, even under hypothetical exploitation scenarios.

---

Ongoing Security Assurance

We continuously monitor security advisories from Cloudflare and other critical infrastructure partners and proactively validate our controls against emerging threats. This layered security approach ensures that vulnerabilities affecting individual components do not translate into client impact.

If you have any questions regarding this advisory or our security posture, please contact our security team or refer to our Trust Center for further information.

This communication serves to confirm the status of our systems in relation to the recently disclosed vulnerability, CVE-2025-55182, often referred to as "React2Shell" (Remote Code Execution in React Server Components).

We started an immediate assessment of our application dependency manifest using our standard Software Bill of Materials (SBOM) scanning procedure. The primary goal was to check for the presence of the affected React versions and configurations outlined in the public advisory.

Our findings thus far confirm that our application is not impacted by this vulnerability. The versions of React and related libraries currently deployed in your application environment do not fall within the scope of the affected versions detailed in the advisory.

Cloudflare, our security partner and WAF provider, further confirmed that the WAF adds additional mitigation for this CVE: Cloudflare WAF proactively protects against React vulnerability

We will continue to monitor the situation for any subsequent updates from our security team and the framework maintainers. No action is required from your side at this time, and your service remains secure against this specific threat.

Prepared by: Sunil Odedra, CTO

---

1. Overview of the Incident

On 18 November 2025, Cloudflare—one of the world’s largest internet infrastructure providers—experienced a major global outage. The issue began at 11:20 UTC and affected traffic across their network until recovery was completed at 17:06 UTC.

This incident impacted a wide range of service providers globally, including major platforms such as OpenAI and X.com, as well as commercial and government services dependent on Cloudflare’s network.

Cloudflare has confirmed the incident was not caused by a cyber attack, but rather by an internal configuration error.

---

2. Root Cause (Cloudflare Statement)

Cloudflare’s outage originated from a failure in their Bot Management system:

• A permissions change in one of their ClickHouse database clusters resulted in duplicate entries being generated in a configuration “feature file”.
• This file doubled in size and exceeded a memory threshold within Cloudflare’s traffic-routing proxy (FL/FL2).
• The oversized configuration file propagated across Cloudflare’s network, causing core proxy failures and widespread HTTP 5xx errors.
• Traffic would intermittently recover and fail again depending on which version of the configuration file was distributed at that moment, complicating diagnosis.
• Cloudflare rolled back to a known-good configuration file and restarted key systems, restoring service.

Cloudflare categorised this as their worst outage since 2019.

---

3. Impact on Kurtosys

Production

• Based on telemetry and client reports, we believe disruption to production services was minimal.
• However, due to the variability of the global outage (region-by-region and minute-by-minute), we cannot yet definitively state that there was zero impact on production traffic.
• Importantly, all client-facing environments are hosted in our production Cloudflare accounts.

Non-Production

• Our non-production Cloudflare account did show elevated error rates during portions of the outage.
• Cloudflare’s post-incident write-up provides a strong indication that the FL2 proxy engine (more heavily affected during the outage) may have been deployed earlier to some accounts than others.

Based on the error patterns we observed, we believe:

• Cloudflare may have rolled out FL2 to our non-production account,
• while our production accounts remained on the older FL proxy, which degraded differently and may explain why production was less impacted.

This is not a configuration choice Kurtosys can make—Cloudflare does not offer a distinction between “production” and “non-production” accounts. Any difference in deployment path appears to be purely an artefact of Cloudflare’s internal processes.

Support Case Raised
We have raised a case with Cloudflare requesting explicit confirmation of:

• Which proxy (FL vs FL2) was deployed to each of our Cloudflare accounts
• Whether rollout sequencing explains the visibility differences between environments

Given the scale of the incident, response times may be delayed.

---

4. Why the Impact Varied Across the Industry

Cloudflare’s outage did not affect all customers equally. Variability was driven by:

• Which Cloudflare products each provider uses
• Which proxy engine (FL vs FL2) their account had been migrated to
• Regional traffic routing
• Timing of configuration propagation
• Whether upstream systems performed additional retries or failover

Even very large providers with highly resilient infrastructure—e.g., OpenAI—experienced outages depending on their reliance on components that failed inside Cloudflare.
This aligns with the behaviour we observed at Kurtosys.

---

5. Actions Taken by Kurtosys

• Continuous monitoring of platform and Cloudflare edge performance throughout the incident
• Precautionary client communication due to the global severity and potential for wider impact
• Post-incident assessment using available telemetry and Cloudflare reporting
• Formal support request to Cloudflare for clarity on proxy deployment sequencing

---

6. Actions Being Taken by Cloudflare

Per their report, Cloudflare is implementing:

• Hardening of internal configuration ingestion
• Additional global kill switches for feature rollouts
• Improvements to error-handling paths in their proxy engine
• Updated safeguards to prevent malformed configuration files propagating globally

These measures are intended to prevent recurrence.

---

7. Conclusion

The Cloudflare outage was severe and global in nature. Based on current evidence:

• Kurtosys production services remained largely stable, with only minimal disruption observed.
• The difference in impact between environments may be attributable to Cloudflare’s deployment of different proxy versions, though this is not yet confirmed.
• No client data, security controls, or platform integrity were affected.

Unless Cloudflare provides materially new information relevant to our platform, we consider the incident closed from a client communication perspective.

Internal follow-up will continue until Cloudflare confirms proxy deployment details.

We are aware of recent reports regarding a potential security breach involving Oracle Cloud infrastructure. We want to assure our clients and partners that our systems and data remain secure and unaffected by this incident.

After a thorough investigation of our infrastructure, we can confirm that we do not use Oracle Cloud in any of our hosting platforms or infrastructure. Our team has reviewed all systems and platforms to ensure they are not impacted by this exploit.

As part of our commitment to security, we continuously monitor and assess potential threats, ensuring that our environment remains protected against emerging risks. We take security seriously and implement industry best practices, including strong access controls, regular security audits, and proactive monitoring, to safeguard our systems and data.

If you are concerned about your own exposure to this exploit, we recommend visiting this site (https://exposure.cloudsek.com/oracle) to check whether your organisation is impacted.

If you have any further questions or concerns, please do not hesitate to reach out to our security team.

Business as Usual: Crowdstrike Falcon Outages 19th July 2024

Kurtosys Systems has not been directly impacted by the outages experienced worldwide on Windows machines due to the Crowdstrike Falcon updates. Kurtosys client hosting services in all regions are running as normal, with no service degradation. We issued a notification to all clients on Friday 19th July confirming "Business as Usual".

We have been monitoring messages and notifications from both suppliers and clients to stay ahead of any potential problems as this issue escalates and resolves itself. We do not anticipate any problems but are continuing to look at the development of information related to this issue to prevent and protect against any other developments.