Cyber Security News
sysops

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-38475, a critical vulnerability affecting Apache HTTP Server, to its Known Exploited Vulnerabilities (KEV) catalog. 

This vulnerability allows attackers to map URLs to unintended filesystem locations, potentially leading to code execution or source code disclosure.

Organizations are required to implement mitigations by May 22, 2025, under CISA’s binding operational directive.

Apache mod_rewrite Vulnerability – CVE-2024-38475

CVE-2024-38475 stems from improper escaping of output in Apache HTTP Server’s mod_rewrite module affecting versions 2.4.59 and earlier. 

The vulnerability, which received a CVSS score of 9.1, allows attackers to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally accessible through any URL. This can result in arbitrary code execution or source code disclosure.

“The root cause of this vulnerability occurs during the truncation phase, due to the fact that r->filename is treated as a URL path rather than a filesystem path,” explains security researchers at Watchtowr Labs, who analyzed the exploit. 

The vulnerability specifically affects “substitutions in server context that use backreferences or variables as the first segment of the substitution”.

The exploitation technique leverages a filename confusion vulnerability that allows abuse of the question mark (%3F) symbol to truncate the final constructed path. 

When successfully exploited, attackers can access sensitive system files that would normally be protected.

Risk FactorsDetailsAffected ProductsApache HTTP Server 2.4.59 and earlierImpactCode execution or source code disclosure via mod_rewriteExploit PrerequisitesNo authentication required; attacker can send crafted requests over the network, Requires mod_rewrite enabledCVSS 3.1 Score9.1 (Critical)

Mitigations 

CISA recommends organizations take immediate action:

Upgrade to Apache HTTP Server version 2.4.60 or later, which contains the fix for this vulnerability.

Review and modify affected RewriteRules to ensure substitutions are appropriately constrained if immediate patching isn’t possible.

For SonicWall SMA users, immediately patch devices and review logs for unauthorized access.

Organizations using the affected appliances should implement micro-segmentation and zero-trust isolation projects to minimize potential lateral movement.

In the Apache configuration, affected rules may use the new rewrite flag “UnsafePrefixStat” to opt back into previous behavior, but only after ensuring the substitution is appropriately constrained.

CISA has classified this vulnerability as affecting “a common open-source component, third-party library, or a protocol used by different products” and advises organizations to check with specific vendors for patching information. 

Organizations should prioritize this vulnerability in their remediation efforts, as active exploitation continues across multiple sectors.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.

Related Posts

A recently identified vulnerability in the Brave browser has raised significant security concerns for its users. The issue, tracked as…

Cisco has disclosed a significant security vulnerability in its Webex Meetings platform that allowed unauthorized access to meeting information and…

Apple has released critical security updates to address a zero-day vulnerability actively exploited in attacks targeting iPhone users.  The flaw,…