CVE-2025-59775
📋 TL;DR
This SSRF vulnerability in Apache HTTP Server on Windows allows attackers to force the server to make requests to malicious servers, potentially leaking NTLM authentication hashes. It affects Windows systems running Apache with specific configurations (AllowEncodedSlashes On and MergeSlashes Off). Attackers could capture NTLM hashes for offline cracking or relay attacks.
💻 Affected Systems
- Apache HTTP Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture NTLM hashes, crack them offline to obtain credentials, and gain unauthorized access to internal systems or domain resources.
Likely Case
Attackers capture NTLM hashes and use them in pass-the-hash attacks to compromise additional systems within the network.
If Mitigated
With proper network segmentation and monitoring, hash capture is detected before successful exploitation.
🎯 Exploit Status
Exploitation requires specific configuration conditions and ability to trigger SSRF requests. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.66
Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html
Restart Required: Yes
Instructions:
1. Download Apache HTTP Server 2.4.66 or later from official Apache mirrors. 2. Stop the Apache service. 3. Backup configuration files. 4. Install the new version. 5. Restore configurations. 6. Start the Apache service.
🔧 Temporary Workarounds
Change configuration settings
windowsSet AllowEncodedSlashes to Off or MergeSlashes to On to prevent exploitation
In httpd.conf: Set AllowEncodedSlashes Off OR MergeSlashes On
Restrict outbound connections
windowsUse firewall rules to limit Apache server's ability to make outbound requests
Windows Firewall: New outbound rule blocking Apache process from connecting to untrusted networks
🧯 If You Can't Patch
- Apply configuration workarounds (set AllowEncodedSlashes Off or MergeSlashes On)
- Implement network segmentation to restrict Apache servers from making outbound requests to untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check Apache version with 'httpd -v' and verify configuration contains both 'AllowEncodedSlashes On' and 'MergeSlashes Off'Check Version:
httpd -vVerify Fix Applied:
Verify Apache version is 2.4.66 or higher with 'httpd -v' command📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Apache process
- Requests with encoded slashes in URLs
- Failed authentication attempts following suspicious outbound requests
Network Indicators:
- Apache server making unexpected outbound HTTP/S requests
- Traffic to unfamiliar external IP addresses from Apache process
SIEM Query:
source="apache_access.log" AND (url CONTAINS "%2F" OR url CONTAINS "%5C") AND dest_ip NOT IN trusted_networks