A high-severity vulnerability has been identified in Apache HTTP Server on Windows, which could allow an attacker to steal sensitive authentication credentials. By sending a specially crafted request to a misconfigured server, an attacker can trick the server into connecting to a malicious system, exposing NTLM password hashes. This could lead to further network compromise and unauthorized access to internal resources.

This vulnerability is a Server-Side Request Forgery (SSRF) that exists in Apache HTTP Server running on Windows environments with two specific non-default configurations enabled: AllowEncodedSlashes On and MergeSlashes Off. An attacker can exploit this by sending a malicious request containing URL-encoded slash characters (e.g., %2F or %5C). Due to the insecure configuration, the server decodes these characters and interprets the resulting path as a UNC path, forcing the server to initiate an outbound SMB connection to a resource controlled by the attacker. When the Windows server attempts to authenticate to the attacker's malicious SMB share, it sends the NTLM hash of the service account running the Apache process, allowing the attacker to capture it.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to the compromise of the service account credentials used by the Apache HTTP Server. An attacker in possession of these NTLM hashes can attempt to crack them offline to recover the plaintext password. If successful, this could grant the attacker a foothold within the internal network, enabling lateral movement, privilege escalation, and access to sensitive data and systems, ultimately leading to a more significant security breach.

Immediate Action: Immediately apply security updates provided by the vendor to upgrade Apache HTTP Server to version 2 or a later patched release. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing server access logs and outbound network connections for suspicious activity.

Proactive Monitoring:

• Log Analysis: Review Apache access logs for requests containing unusual patterns of encoded slashes (%2F, %5C) or requests that resemble UNC paths (e.g., \\attacker.com\resource).
• Network Traffic Analysis: Monitor outbound network traffic from the affected web servers. Specifically, look for and alert on any outbound SMB connections (TCP port 445) to untrusted or external IP addresses, as this is a primary indicator of an exploitation attempt.
• Endpoint Detection: Monitor for unusual process execution or network activity originating from the Apache service account on the server.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Configuration Hardening: Revert to the default, more secure Apache settings by setting AllowEncodedSlashes Off and MergeSlashes On in the server configuration, provided this does not break application functionality.
• Egress Filtering: Implement strict firewall rules to block all outbound SMB traffic (TCP/445 and UDP/445) from the web server to the internet.
• Web Application Firewall (WAF): Deploy and configure a WAF with rules designed to detect and block malicious requests containing SSRF patterns or encoded UNC paths.

Public Exploit Available: false

Given the High severity (CVSS 7.5) of this vulnerability and its potential to expose service account credentials, it is strongly recommended that organizations prioritize patching their vulnerable Apache HTTP Server instances on Windows immediately. Although this CVE is not currently listed on the CISA KEV catalog, the risk of credential compromise warrants urgent attention. Administrators must review their server configurations to identify if the vulnerable settings are in use and apply either the recommended patches or the compensating controls without delay.