CVE-2024-38475

CRITICAL KEV NUCLEI

Apache HTTP Server <2.4.59 - RCE

Title source: llm

Description

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Exploits (5)

github SCANNER 123 stars
by mrmtwoj · pythoninfoleak
https://github.com/mrmtwoj/apache-vulnerability-testing
nomisec WORKING POC 16 stars
by p0in7s · infoleak
https://github.com/p0in7s/CVE-2024-38475
nomisec SCANNER 3 stars
by soltanali0 · infoleak
https://github.com/soltanali0/CVE-2024-38475
nomisec WORKING POC
by abrewer251 · infoleak
https://github.com/abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC
nomisec SCANNER
by syaifulandy · poc
https://github.com/syaifulandy/CVE-2024-38475

Nuclei Templates (1)

Sonicwall - Pre-Authentication Arbitrary File Read
CRITICALVERIFIEDby shaikhyaser
Shodan: html:"SonicWall" html:"SMA"

References (7)

Scores

CVSS v3 9.1
EPSS 0.9337
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitation Intel

CISA KEV 2025-05-01
VulnCheck KEV 2025-04-29
ENISA EUVD EUVD-2024-37356

Classification

CWE
CWE-116
Status published

Affected Products (7)

apache/http_server < 2.4.60
netapp/ontap_9
sonicwall/sma_200_firmware < 10.2.1.14-75sv
sonicwall/sma_210_firmware < 10.2.1.14-75sv
sonicwall/sma_400_firmware < 10.2.1.14-75sv
sonicwall/sma_410_firmware < 10.2.1.14-75sv
sonicwall/sma_500v_firmware < 10.2.1.14-75sv

Timeline

Published Jul 01, 2024
KEV Added May 01, 2025
Tracked Since Feb 18, 2026