CISA reports critical Apache HTTP Server flaw actively exploited

The Cybersecurity and Infrastructure Security Agency (CISA) is reporting that a vulnerability affecting Apache HTTP Server is actively exploited. The vulnerability allows malicious actors to manipulate URL mapping to access unintended filesystem locations.

The vulnerability is tracked as CVE-2024-38475 (CVSS score 9.1) and stems from improper escaping of output in Apache HTTP Server's mod_rewrite module. The root cause of this vulnerability occurs during the truncation phase, due to the fact that r->filename is treated as a URL path rather than a filesystem path, according to security researchers at Watchtowr Labs who analyzed the exploit.

It affects Apache versions 2.4.59 and earlier. 

The vulnerability allows attackers to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally accessible through any URL, execute arbitrary code on affected systems, access and disclose sensitive source code or lateral movement across networks

CISA has mandated that organizations implement appropriate mitigations by May 22, 2025

Users are advised to upgrade to Apache HTTP Server version 2.4.60 or later, which contains the fix for this vulnerability and review and modify affected RewriteRules to ensure substitutions are appropriately constrained if immediate patching isn't possible.