Platform
apache
Component
httpd
Opgelost in
2.4.66
2.4.67
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Apache HTTP Server on Windows. This flaw, affecting versions 2.4.0 through 2.4.66, allows attackers to potentially leak NTLM hashes to a malicious server through crafted requests or content. The vulnerability stems from the combination of 'AllowEncodedSlashes On' and 'MergeSlashes Off' configurations. Users are strongly advised to upgrade to version 2.4.66 to mitigate this risk.
The SSRF vulnerability in Apache HTTP Server allows an attacker to make requests to internal resources that are otherwise inaccessible. In this specific case, the combination of 'AllowEncodedSlashes On' and 'MergeSlashes Off' creates a scenario where NTLM hashes can be leaked. An attacker could craft a malicious request that triggers the server to send NTLM authentication credentials to a server they control. Successful exploitation could lead to credential theft, enabling further unauthorized access and potentially lateral movement within the network. The blast radius extends to any systems relying on NTLM authentication, making this a significant security concern, particularly in environments with legacy applications.
CVE-2025-59775 was publicly disclosed on December 5, 2025. The CVSS score is 7.5 (HIGH). As of this writing, there are no publicly available proof-of-concept exploits. It is not currently listed on the CISA KEV catalog. The potential for NTLM hash leakage makes this vulnerability a high priority for remediation, especially given the prevalence of NTLM authentication in many environments.
Organizations running Apache HTTP Server on Windows with versions 2.4.0 through 2.4.66, particularly those with legacy applications relying on NTLM authentication, are at significant risk. Shared hosting environments where users have limited control over server configuration are also vulnerable.
• windows / server:
Get-WinEvent -LogName Security -Filter "EventID = 4625" -ErrorAction SilentlyContinue | Where-Object {$_.Properties[0].Value -like "*ntlm*"}• apache / server:
grep -r "AllowEncodedSlashes On" /etc/httpd/conf/httpd.conf• generic web: Check Apache access logs for unusual outbound requests to internal IP addresses or unexpected domains. • generic web: Review Apache configuration files for the presence of 'AllowEncodedSlashes On' and 'MergeSlashes Off'.
disclosure
Exploit Status
EPSS
0.06% (17% percentiel)
CVSS-vector
The primary mitigation for CVE-2025-59775 is to upgrade Apache HTTP Server to version 2.4.66 or later, which includes the fix. If an immediate upgrade is not feasible due to compatibility issues or downtime constraints, consider temporarily disabling the 'AllowEncodedSlashes' directive. Alternatively, ensure 'MergeSlashes' is set to 'On' to prevent the vulnerability. Web Application Firewalls (WAFs) can be configured to filter requests containing suspicious URL patterns that might exploit the SSRF vulnerability. Monitor Apache access and error logs for unusual outbound requests to internal or unexpected external resources. Sigma rules or YARA patterns can be developed to detect malicious request patterns associated with this SSRF vulnerability.
Werk Apache HTTP Server bij naar versie 2.4.66 of hoger. Deze update corrigeert de SSRF-kwetsbaarheid die het lekken van NTLM-hashes op Windows-systemen mogelijk maakt. Zorg ervoor dat de configuratie `AllowEncodedSlashes` is uitgeschakeld of correct is geconfigureerd om het risico te beperken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-59775 is a HIGH severity Server-Side Request Forgery (SSRF) vulnerability affecting Apache HTTP Server on Windows versions 2.4.0–2.4.66, potentially allowing NTLM hash leakage.
If you are running Apache HTTP Server on Windows versions 2.4.0 through 2.4.66 with 'AllowEncodedSlashes On' and 'MergeSlashes Off', you are potentially affected.
Upgrade to Apache HTTP Server version 2.4.66 or later. Alternatively, disable 'AllowEncodedSlashes' or enable 'MergeSlashes' as a temporary workaround.
As of December 2025, there are no confirmed reports of active exploitation, but the potential for NTLM hash leakage warrants immediate attention.
Refer to the official Apache HTTP Server security advisory for CVE-2025-59775 once published on the Apache website.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.