The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-38472

CVE-2024-38472: Apache HTTP Server SSRF Vulnerability

CVE-2024-38472 is an SSRF vulnerability in Apache HTTP Server on Windows that allows attackers to potentially leak NTLM hashes to malicious servers. This post covers the technical details, affected versions, and mitigation.

Published: January 28, 2026

CVE-2024-38472 Overview

CVE-2024-38472 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server running on Windows systems that enables attackers to potentially leak NTLM hashes to a malicious server. This vulnerability can be exploited through crafted malicious requests or content, allowing unauthorized access to sensitive Windows authentication credentials.

Critical Impact

This SSRF vulnerability on Windows-based Apache HTTP Server installations can lead to NTLM hash leakage, potentially enabling attackers to perform relay attacks or offline password cracking against captured credentials.

Affected Products

  • Apache HTTP Server (versions prior to 2.4.60)
  • NetApp ONTAP 9

Discovery Timeline

  • 2024-07-01 - CVE-2024-38472 published to NVD
  • 2025-07-01 - Last updated in NVD database

Technical Details for CVE-2024-38472

Vulnerability Analysis

This Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affects Apache HTTP Server deployments on Windows operating systems. The vulnerability allows an attacker to force the server to make requests to arbitrary destinations, including UNC paths that trigger NTLM authentication. When the server processes malicious requests or content, it can be coerced into connecting to attacker-controlled SMB servers, inadvertently transmitting NTLM hashes.

The attack is particularly dangerous in Windows environments where NTLM authentication is commonly used. An attacker can leverage this vulnerability without requiring any authentication or user interaction, making it highly exploitable in network-accessible Apache deployments. The confidentiality impact is significant as captured NTLM hashes can be used for pass-the-hash attacks, relay attacks, or offline cracking to recover plaintext credentials.

Root Cause

The root cause of CVE-2024-38472 lies in improper validation and handling of URLs and paths within the Apache HTTP Server on Windows. The server fails to adequately restrict requests to UNC paths (e.g., \\attacker-server\share), which triggers automatic NTLM authentication by the Windows operating system. This architectural flaw allows specially crafted requests to force outbound connections that carry sensitive authentication material.

Attack Vector

The vulnerability is exploited via network-based attacks where an attacker can send malicious requests or content to the vulnerable Apache HTTP Server. The attack flow typically involves:

  1. The attacker identifies a Windows-based Apache HTTP Server that processes user-controllable URLs or content
  2. The attacker crafts a request containing a UNC path pointing to their malicious SMB server
  3. When the Apache server processes this request, Windows automatically attempts NTLM authentication with the attacker's server
  4. The attacker captures the NTLM hash, which can then be used for credential relay attacks or offline password cracking

This vulnerability allows remote exploitation without authentication. The attack does not require user interaction, making it particularly dangerous for internet-facing Apache installations on Windows.

Detection Methods for CVE-2024-38472

Indicators of Compromise

  • Outbound SMB (port 445) or NetBIOS (port 139) connections from the Apache HTTP Server to unexpected external IP addresses
  • Unusual UNC path references in Apache access logs or request parameters
  • Network traffic showing NTLM authentication attempts to non-domain or external systems
  • Apache server making unexpected outbound connections during request processing

Detection Strategies

  • Monitor network traffic for outbound SMB connections originating from web server hosts
  • Implement web application firewall (WAF) rules to detect and block UNC path patterns in requests
  • Analyze Apache access logs for suspicious URL patterns containing backslashes or UNC-style paths
  • Deploy intrusion detection signatures for SSRF attack patterns targeting Windows authentication

Monitoring Recommendations

  • Enable detailed logging on Apache HTTP Server to capture full request URLs and parameters
  • Configure network monitoring to alert on any outbound SMB traffic from web server segments
  • Implement SIEM rules to correlate Apache requests with subsequent outbound authentication attempts
  • Monitor for failed or unusual NTLM authentication events in Windows Security logs

How to Mitigate CVE-2024-38472

Immediate Actions Required

  • Upgrade Apache HTTP Server to version 2.4.60 or later immediately
  • Review and update existing configurations that access UNC paths to use the new UNCList directive
  • Block outbound SMB traffic (ports 445, 139) from web servers at the network perimeter
  • Implement network segmentation to restrict web server access to internal resources

Patch Information

Apache has released version 2.4.60 which addresses this SSRF vulnerability. Users should upgrade to this version or later to remediate CVE-2024-38472. It is important to note that existing configurations that access UNC paths will require configuration updates to use the new UNCList directive to allow legitimate access during request processing. For detailed patch information, refer to the Apache HTTP Server Vulnerabilities page. Additional vendor-specific guidance is available in the NetApp Security Advisory NTAP-20240712-0001.

Workarounds

  • Configure firewall rules to block all outbound SMB/NetBIOS traffic from Apache server hosts
  • Implement input validation to reject requests containing UNC path patterns or backslash characters
  • Deploy a reverse proxy or WAF in front of Apache to filter potentially malicious requests
  • Restrict Apache's network access using Windows Firewall or host-based security tools
bash
# Configuration example - Block outbound SMB at Windows Firewall
netsh advfirewall firewall add rule name="Block Outbound SMB" dir=out action=block protocol=tcp localport=445
netsh advfirewall firewall add rule name="Block Outbound NetBIOS" dir=out action=block protocol=tcp localport=139

# After upgrading to Apache 2.4.60+, configure UNCList for legitimate UNC access
# In httpd.conf:
# UNCList \\allowed-server\share

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeSSRF
  • Vendor/TechApache Http Server
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability90.49%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-918
  • Technical References
  • OpenWall OSS-Security Mailing List
  • NetApp Security Advisory NTAP-20240712-0001
  • Vendor Resources
  • Apache HTTP Server Vulnerabilities
  • Related CVEs
  • CVE-2021-44224: Apache HTTP Server SSRF Vulnerability
  • CVE-2023-38709: Apache HTTP Server XSS Vulnerability
  • CVE-2024-38475: Apache HTTP Server Path Traversal Flaw
  • CVE-2021-36160: Apache HTTP Server DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English