CVE-2024-38475

CRITICAL KEV NUCLEI

Apache HTTP Server < 2.4.60 - Remote Code Execution via mod_rewrite Unsafe Substitution

Title source: llm

Exploitation Summary

CVE-2024-38475 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 1, 2025. EIP tracks 6 public exploits from researchers including mrmtwoj, p0in7s, soltanali0. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a Python script that tests for multiple Apache HTTP Server vulnerabilities by sending crafted HTTP requests to detect potential misconfigurations or weaknesses. It does not include exploit code for achieving RCE or other offensive actions, but rather scans for vulnerable endpoints.

Description

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Exploits (6)

github SCANNER 123 stars

by mrmtwoj · pythoninfoleak

https://github.com/mrmtwoj/apache-vulnerability-testing

View Code ZIP pw:eip

The repository contains a Python script that tests for multiple Apache HTTP Server vulnerabilities by sending crafted HTTP requests to detect potential misconfigurations or weaknesses. It does not include exploit code for achieving RCE or other offensive actions, but rather scans for vulnerable endpoints.

Classification

Scanner 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache HTTP Server (various versions)

No auth needed

Prerequisites: Python 3.x · Requests library · Target URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 16 stars

by p0in7s · infoleak

https://github.com/p0in7s/CVE-2024-38475

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2024-38475, an improper escaping vulnerability in Apache HTTP Server's mod_rewrite. The script scans for directories and files using crafted payloads to trigger source code disclosure or potential code execution.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache HTTP Server 2.4.59 and earlier

No auth needed

Prerequisites: Access to the target Apache HTTP Server · Wordlists for directory and file enumeration

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER 3 stars

by soltanali0 · infoleak

https://github.com/soltanali0/CVE-2024-38475

View Code ZIP pw:eip

The repository contains a Python script that scans for potential Apache mod_rewrite weaknesses by enumerating directories and files using wordlists and specific payloads. It checks for 403 responses for directories and 200 responses for files with crafted payloads, indicating potential source code disclosure vulnerabilities.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache HTTP Server (mod_rewrite)

No auth needed

Prerequisites: Target URL or IP address · Wordlists for directories and files

MITRE ATT&CK

T1119 - Automated Collection T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Nyakki-Labs-0x420 · infoleak

https://github.com/Nyakki-Labs-0x420/Myesve

View Code ZIP pw:eip

This repository contains a functional exploit framework for CVE-2024-38475, targeting directory traversal and source disclosure vulnerabilities. It includes a directory scanner to identify 403 endpoints and an exploiter module to test for file disclosure using crafted payloads.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Unknown (CVE-2024-38475)

No auth needed

Prerequisites: Target URL · Wordlists for directories and files

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Jun 01, 2026 Full analysis →

nomisec WORKING POC

by abrewer251 · infoleak

https://github.com/abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC

View Code ZIP pw:eip

This repository contains a functional Python-based PoC for CVE-2024-38475, a URL traversal vulnerability in Apache servers. The script automates TLS negotiation, directory scanning, and payload fuzzing to detect unauthorized file access.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache HTTP Server (version not specified)

No auth needed

Prerequisites: Python 3.6+ · requests library · target server with vulnerable Apache configuration

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER

by syaifulandy · poc

https://github.com/syaifulandy/CVE-2024-38475

View Code ZIP pw:eip

This repository contains a bash script that scans for directories and files with 403 bypass payloads, likely targeting a directory traversal or path traversal vulnerability in CVE-2024-38475. It uses ffuf for fuzzing and does not include exploit code for achieving RCE or other offensive actions.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: unknown (likely a web server or application with directory traversal vulnerability)

No auth needed

Prerequisites: target list in targets.txt · ffuf installed · seclists wordlists

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Sonicwall - Pre-Authentication Arbitrary File Read

CRITICALVERIFIEDby shaikhyaser

Shodan: html:"SonicWall" html:"SMA"

References (7)

Core 7

Core References

Third Party Advisory

https://security.netapp.com/advisory/ntap-20240712-0001/

Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/07/01/8

Patch

https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf

View Patch ZIP pw:eip

Third Party Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018

Third Party Advisory

https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38475

Vendor Advisory vendor-advisory

https://httpd.apache.org/security/vulnerabilities_24.html

Scores

CVSS v3 9.1

EPSS 0.9386

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2025-05-01

VulnCheck KEV 2025-04-29

ENISA EUVD EUVD-2024-37356

CWE

CWE-116

Status published

Products (7)

apache/http_server 2.4.0 - 2.4.60

netapp/ontap_9

sonicwall/sma_200_firmware < 10.2.1.14-75sv

sonicwall/sma_210_firmware < 10.2.1.14-75sv

sonicwall/sma_400_firmware < 10.2.1.14-75sv

sonicwall/sma_410_firmware < 10.2.1.14-75sv

sonicwall/sma_500v_firmware < 10.2.1.14-75sv

Published Jul 01, 2024

KEV Added May 01, 2025

Tracked Since Feb 18, 2026