CVE-2024-43394 Overview
CVE-2024-43394 is a Server-Side Request Forgery (SSRF) vulnerability affecting Apache HTTP Server on Windows platforms. This security flaw allows attackers to potentially leak NTLM hashes to malicious servers through the mod_rewrite module or Apache expressions that pass unvalidated request input.
The vulnerability enables remote attackers to craft malicious requests that force the Apache HTTP Server to initiate outbound connections to attacker-controlled SMB servers via UNC paths. When successful, this attack can capture NTLM authentication hashes, which can then be used for offline cracking or relay attacks.
Critical Impact
Remote attackers can potentially capture NTLM authentication hashes from Windows-based Apache HTTP Server deployments, leading to credential theft and further network compromise.
Affected Products
- Apache HTTP Server versions 2.4.0 through 2.4.63
- Microsoft Windows (all versions running affected Apache HTTP Server)
- Systems utilizing mod_rewrite or Apache expressions with unvalidated user input
Discovery Timeline
- July 10, 2025 - CVE-2024-43394 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-43394
Vulnerability Analysis
This SSRF vulnerability (CWE-918) resides in how Apache HTTP Server on Windows processes certain request inputs through mod_rewrite rules or Apache expressions. The core issue stems from insufficient validation when handling user-controlled input that gets incorporated into file system or network paths.
When an attacker supplies a malicious UNC path (e.g., \\\\attacker-server\\share) as part of a request that flows through vulnerable rewrite rules or expressions, the Apache server may attempt to access the specified network resource. On Windows systems, this triggers an automatic NTLM authentication attempt to the remote server, inadvertently transmitting the server's NTLM hash to the attacker.
The Apache HTTP Server Project has noted that the server offers limited built-in protection against administrators directing the server to open UNC paths, placing significant responsibility on system administrators to implement proper network-level controls.
Root Cause
The vulnerability originates from insufficient input validation and sanitization when processing user-supplied data that gets passed to file system operations or network resource access functions. Specifically, the mod_rewrite module and Apache expressions can be configured in ways that allow unvalidated request parameters to influence path construction, enabling UNC path injection on Windows platforms.
Attack Vector
The attack is network-based and requires no authentication or user interaction, making it accessible to remote attackers. The exploitation scenario involves:
- An attacker identifies an Apache HTTP Server running on Windows with mod_rewrite rules or expressions that incorporate user input
- The attacker crafts a malicious request containing a UNC path pointing to their controlled SMB server
- The Apache server processes the request and attempts to access the UNC path
- Windows automatically sends the server's NTLM hash to the attacker's SMB server
- The attacker captures the hash for offline cracking or relay attacks
Since no verified exploit code is available, the vulnerability mechanism can be understood through the interaction between Apache's request processing and Windows' automatic NTLM authentication behavior. When Apache processes a request that results in attempting to access a UNC path like \\\\malicious-server\\share, Windows will automatically attempt NTLM authentication, transmitting credential hashes. See the Apache HTTP Server Vulnerabilities page for additional technical details.
Detection Methods for CVE-2024-43394
Indicators of Compromise
- Outbound SMB traffic (port 445) from Apache HTTP Server processes to external or unusual IP addresses
- Apache access logs containing UNC path patterns (e.g., \\\\ or encoded variants like %5c%5c)
- Unusual network connections initiated by the httpd.exe or Apache.exe process
- Failed SMB authentication events correlating with web request timestamps
Detection Strategies
- Monitor outbound SMB/CIFS traffic originating from web server hosts, particularly to external destinations
- Implement web application firewall (WAF) rules to detect and block UNC path patterns in request URLs and parameters
- Review Apache configuration files for mod_rewrite rules that pass unvalidated user input to file system operations
- Deploy network intrusion detection signatures for NTLM authentication attempts over non-standard paths
Monitoring Recommendations
- Enable and centralize Apache access and error logging with real-time analysis
- Configure Windows Security Event logging to capture outbound NTLM authentication attempts (Event ID 4648)
- Implement network flow monitoring to detect unexpected SMB connections from web server segments
- Set up alerts for any web server process initiating connections to external SMB servers
How to Mitigate CVE-2024-43394
Immediate Actions Required
- Update Apache HTTP Server to a patched version as soon as one becomes available from the vendor
- Review and audit all mod_rewrite rules and Apache expressions for unvalidated user input handling
- Implement Windows Firewall rules to block outbound SMB traffic (port 445) from web server processes
- Configure SMB client restrictions to limit which hosts the server can connect to via SMB
Patch Information
Apache has acknowledged this vulnerability and published details on their security vulnerabilities page. Administrators should monitor for updated versions beyond 2.4.63 that address this SSRF issue. Additional security discussions are available on the Openwall OSS Security mailing list. Debian users should review the Debian LTS Security Announcement for distribution-specific guidance.
Workarounds
- Restrict outbound SMB connections from the web server using Windows Firewall or network-level firewall rules
- Implement strict input validation in mod_rewrite rules to reject requests containing backslash characters or UNC path patterns
- Consider enabling Extended Protection for Authentication (EPA) to mitigate NTLM relay attacks
- Deploy network segmentation to isolate web servers from internal network resources
# Windows Firewall: Block outbound SMB from Apache process
netsh advfirewall firewall add rule name="Block Apache Outbound SMB" dir=out action=block protocol=tcp remoteport=445 program="C:\Apache24\bin\httpd.exe"
# Apache mod_rewrite: Reject requests with UNC path patterns
# Add to httpd.conf or .htaccess
RewriteCond %{REQUEST_URI} \\\\\\\\|%5c%5c [NC,OR]
RewriteCond %{QUERY_STRING} \\\\\\\\|%5c%5c [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
