CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-38475

Critical Severity
Netapp
SVRS
91/100
CVSSv3
9.1/10
EPSS
0.92481/1

CVE-2024-38475 is a critical vulnerability in Apache HTTP Server 2.4.59 and earlier, stemming from improper output escaping in the mod_rewrite module. This flaw allows an attacker to manipulate URLs and access filesystem locations that should be restricted, potentially leading to code execution or source code disclosure. The SOCRadar Vulnerability Risk Score (SVRS) for CVE-2024-38475 is a high 91, indicating immediate action is required due to its critical severity. Exploits are actively being used "In The Wild". With active exploits available and the vulnerability listed in the CISA KEV catalog, organizations must prioritize patching to prevent unauthorized access and potential system compromise. The flaw affects rewrite rules that use backreferences or variables as the first segment of the substitution. Ignoring this vulnerability could expose sensitive information and allow attackers to gain control of the server.

TAGS
In The Wild
Exploit Avaliable
Vendor-advisory
CISA KEV
Exploit Available
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:N
S:U
C:H
I:H
A:N
PUBLICATION DATE2024-07-01
LAST MODIFIED2025-05-02
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-38475 is a vulnerability in Apache HTTP Server 2.4.59 and earlier that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL. This could lead to code execution or source code disclosure.

Key Insights

  • The SVRS for this vulnerability is 30, indicating a moderate level of severity.
  • This vulnerability is actively exploited in the wild.
  • The Cybersecurity and Infrastructure Security Agency (CISA) has warned of this vulnerability, calling for immediate and necessary measures.
  • Specific threat actors or APT groups have not been identified as actively exploiting this vulnerability.

Mitigation Strategies

  • Update to Apache HTTP Server 2.4.60 or later.
  • Disable mod_rewrite if it is not needed.
  • Use a web application firewall (WAF) to block malicious requests.
  • Implement input validation to prevent attackers from submitting malicious input.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
mrmtwoj/apache-vulnerability-testinghttps://github.com/mrmtwoj/apache-vulnerability-testing2024-10-05
soltanali0/CVE-2024-38475https://github.com/soltanali0/CVE-2024-384752024-12-12
Apache HTTP Server Improper Escaping of Output Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2024-384752025-05-01
abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoChttps://github.com/abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC2025-05-07
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

1.850
2025-05-13
1.850 | Newly Added (75)Apache HTTP Server SessionHeader CVE-2021-26691 Buffer Overflow VulnerabilityApache HTTP Server CVE-2022-22720 HTTP Request Smuggling VulnerabilityApache HTTP Server mod_rewrite CVE-2024-38475 Code Injection Vulnerability<a href="https://fortiguard.fortinet.com
fortiguard.com
rss
forum
news
CISA flags two SonicWall flaws as actively exploited - SC Media
2025-05-06
CISA flags two SonicWall flaws as actively exploited - SC Media | News Content: May 6, 2025 The U.S. Cybersecurity and Infrastructure Security Agency has added two newly exploited SonicWall vulnerabilities, CVE-2023-44221 and CVE-2024-38475, to its Known Exploited Vulnerabilities catalog, signaling heightened concern after proof-of-concept exploit code became public, SecurityWeek reports. Both flaws impact SonicWall SMA remote access devices and allow attackers to remotely inject commands and map file system paths, with one enabling admin-level access through an Apache HTTP Server flaw. Patches have been available since late 2023 and 2024, and systems running version
google.com
rss
forum
news
SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA100 (CVE-2023-44221, CVE-2024-38475) - watchTowr Labs
/u/dx7r__2025-05-06
SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA100 (CVE-2023-44221, CVE-2024-38475) - watchTowr Labs | &#32; submitted by &#32; /u/dx7r__ [link] &#32; [comments]&#32; submitted by &#32; /u/dx7r__ [link]<
reddit.com
rss
forum
news
5th May – Threat Intelligence Report - CPR - Check Point Research
2025-05-05
5th May – Threat Intelligence Report - CPR - Check Point Research | News Content: For the latest discoveries in cyber research for the week of 5th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Three major UK retailers – Co-op, Harrods and Marks &amp; Spencer (M&amp;S) – were hit by cyberattacks that disrupted operations and compromised sensitive data. The attacks are believed linked to the Scattered Spider gang, while DragonForce ransomware gang claimed responsibility for the attacks. The American non-profit healthcare system, Ascension, experienced a data breach following a third-party hacking incident in December 2024. The attack led to
google.com
rss
forum
news
New SonicBoom Attack Allows Bypass of Authentication for Admin Access
Kaaviya2025-05-05
New SonicBoom Attack Allows Bypass of Authentication for Admin Access | A critical new attack chain, dubbed &#8220;SonicBoom,&#8221; that enables remote attackers to bypass authentication and seize administrative control over enterprise appliances, including SonicWall Secure Mobile Access (SMA) and Commvault backup solutions.&#160; This sophisticated multi-stage exploit leverages a combination of pre-authentication vulnerabilities, arbitrary file write, and server-side request forgery (SSRF) to achieve full system compromise. The [&#8230;] The post New SonicBoom Attack Allows Bypass of Authentication for Admin Access
cybersecuritynews.com
rss
forum
news
Critical Vulnerabilities Actively Exploited in SonicWall SMA Appliances - cyberkendra.com
2025-05-03
Critical Vulnerabilities Actively Exploited in SonicWall SMA Appliances - cyberkendra.com | News Content: Security researchers at watchTowr have published an analysis of two vulnerabilities currently being exploited in the wild against SonicWall's Secure Mobile Access (SMA100) appliances. The vulnerabilities - CVE-2024-38475 and CVE-2023-44221 - have been added to CISA's Known Exploited Vulnerabilities list, indicating their active exploitation by threat actors. CVE-2024-38475 is a pre-authentication arbitrary file read vulnerability affecting the Apache HTTP Server's mod_rewrite module. Originally discovered by Orange Tsai and presented at BlackHat USA 2024, the vulnerability stems from what researchers call
news
google.com
rss
forum
watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
Deeba Ahmed2025-05-03
watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices | watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 &#38; CVE-2023-44221) potentially leading to full system takeover&#8230;
feedburner.com
rss
forum
news

Social Media

🚨 SonicWall confirms two critical flaws (CVE-2023-44221 &amp; CVE-2024-38475) in SMA100 devices are being actively exploited. Patch ASAP—unauthorized logins &amp; session hijacking possible! #Cybersecurity #PatchNow #ZeroDay #Hacking
0
0
0
SonicWall has confirmed that two critical vulnerabilities in its SMA100 Secure Mobile Access appliances have been exploited in the wild. The flaws, tracked as CVE-2023-44221 (OS command injection, CVSS 7.2) and CVE-2024-38475 (Apache HTTP Server flaw, CVSS 9.8), https://t.co/y5Ys8Ej2Vc
1
0
0
impact SMA 100 series devices, including SMA 200, 210, 400, 410, and 500v. Both issues have been patched as of December 2023 and December 2024, respectively. SonicWall urges all users to check for unauthorized logins, especially since CVE-2024-38475 can enable session hijacking
1
0
0
🚨 STRIKE Threat Intel Advisory – CVE-2024-38475 🚨 SecurityScorecard’s STRIKE team is tracking active exposure of CVE-2024-38475 — a high-severity vulnerability (CVSS 9.1) affecting Apache HTTP Servers. On May 1, 2025, this vulnerability was added to CISA’s list of Known https://t.co/c5bRiIZglQ
0
0
0
SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA100 (CVE-2023-44221, CVE-2024-38475) - watchTowr Labs https://t.co/MbsgybGUSk
1
0
3
The exploitation of the two security defects, tracked as CVE-2023-44221 and CVE-2024-38475, came to light last week, when SonicWall updated its advisories to flag them as targeted in attacks. https://t.co/tdmjreNSK3
0
0
0
🚨 Urgent: CISA confirms active exploitation of critical SonicWall SMA 100 flaws (CVE-2023-44221 &amp; CVE-2024-38475). Patch now or restrict admin access—attackers are chaining these for full system compromise. Details: https://t.co/wH4g7CaLcj
0
0
0
⚠️ Vulnerability Update: SonicWall SMA 100 Series Vulnerabilities Exploited 🔎 CVE: CVE-2024-38475 📅 Timeline: Patch dates confirmed as December 4, 2023 for CVE-2023-44221 and December 4, 2024 for CVE-2024-38475. Active exploitation reported as of April 29, 2025 with
0
1
0
⚠️ Vulnerability Alert: SonicBoom Attack Chain leveraging CVE-2024-38475 and CVE-2023-44221 📅 Timeline: 🆔cveId: [CVE-2024-38475, CVE-2023-44221] 📊baseScore: [9.8] 📏cvssMetrics: [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] cvssSeverity: Critical 🔴 📈 EPSS
1
0
0
⚠️ Vulnerability Report: SonicBoom Attack Chain leveraging CVE-2024-38475 and CVE-2023-44221 🛠️ exploitMaturity: Actively Exploited 📂 affectedVersions: SonicWall Secure Mobile Access (SMA) appliances (unspecified affected versions) 🔧 fixedVersions: Latest
0
0
0

Affected Software

Configuration 2
TypeVendorProduct
AppNetappontap_9

References

ReferenceLink
SECURITY@APACHE.ORGhttps://httpd.apache.org/security/vulnerabilities_24.html
SECURITY@APACHE.ORGhttps://httpd.apache.org/security/vulnerabilities_24.html
SECURITY@APACHE.ORGhttps://security.netapp.com/advisory/ntap-20240712-0001/
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/07/01/8
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf
AF854A3A-2127-422B-91AE-364DA2661108https://httpd.apache.org/security/vulnerabilities_24.html
AF854A3A-2127-422B-91AE-364DA2661108https://security.netapp.com/advisory/ntap-20240712-0001/
AF854A3A-2127-422B-91AE-364DA2661108https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227
SECURITY@APACHE.ORGhttps://httpd.apache.org/security/vulnerabilities_24.html
SECURITY@APACHE.ORGhttps://security.netapp.com/advisory/ntap-20240712-0001/

CWE Details

CWE IDCWE NameDescription
CWE-116Improper Encoding or Escaping of OutputThe software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence