CVE Radar

CVE Radar Logo
CVERadar

Edition used by more than 30,000 companies in more than 150 countries.
Sign Up For Free

CVE-2024-38475

Critical Severity|Apache
84
SVRS
9.1
CVSSv3
0.99957
EPSS
TAGS
In The WildExploit AvaliableCISA KEVExploit Available
VECTOR STRING
CVSS:3.1AV:NAC:LPR:NUI:NS:UC:HI:HA:N
PUBLICATION DATE2024-07-01
LAST MODIFIED2025-11-03

Deep CVE Analysis in Progress

The system is currently conducting an in-depth analysis of the selected CVE. This includes advanced correlation, vulnerability classification, and cross-referencing with real-time threat intelligence sources. Once the analysis is complete, the page will automatically update with enriched vulnerability data and actionable insights.

Security Intelligence Brief

1. What is this vulnerability and why does it matter?
This vulnerability, CVE-2024-38475, is an improper escaping of output issue within the `mod_rewrite` module of the Apache HTTP Server. It allows an attacker to manipulate URLs to access filesystem locations that are not intended to be directly reachable via URLs, but are permitted to be served by the server. This is critical because it can lead to remote code execution or the disclosure of sensitive source code. The vulnerability specifically affects substitutions in the server context that use backreferences or variables as the first segment of the substitution.
2. What are the CVSS score, severity level, and disclosure details?
The CVSS score for this vulnerability is 9.1, which designates it as a Critical severity level. The vulnerability was published on July 1, 2024, at 18:15:12 UTC, and was last modified on November 3, 2025, at 21:55:40 UTC.
3. Which products, vendors, systems, and versions are affected?
The affected product is the Apache HTTP Server, specifically versions 2.4.59 and earlier. The vendor is the Apache Foundation.
4. What is the technical root cause and attack vector?
The technical root cause is an improper escaping of output within the `mod_rewrite` module. This flaw occurs when substitutions in the server context utilize backreferences or variables as the initial segment of the substitution. The attack vector involves an attacker crafting specific URLs that exploit this improper escaping to map to unintended filesystem locations.
5. How can this vulnerability be exploited?
An attacker can exploit this vulnerability by crafting malicious URLs that, due to the improper output escaping in `mod_rewrite`, are incorrectly mapped to sensitive filesystem locations on the server. By successfully manipulating these URLs, an attacker can either achieve remote code execution on the server or force the disclosure of sensitive source code. The exploit specifically targets configurations where `RewiteRules` use backreferences or variables as the first segment of a substitution within the server context.
6. What mitigation steps and patches are available?
The primary mitigation is to upgrade the Apache HTTP Server to a version beyond 2.4.59 (e.g., 2.4.60 or later) that addresses this improper escaping. The patch will likely modify how `mod_rewrite` handles substitutions, potentially breaking some existing unsafe `RewriteRules`. For those specific rules, the `UnsafePrefixStat` rewrite flag can be used to opt back into the previous behavior, but only after ensuring the substitution is appropriately constrained and safe.
7. How can vulnerable systems be detected?
Vulnerable systems can be detected by checking the version of the Apache HTTP Server installed. Any installation running Apache HTTP Server version 2.4.59 or earlier is vulnerable. Administrators should also review their `mod_rewrite` configurations for `RewriteRules` that use backreferences or variables as the first segment of a substitution in a server context, as these are the specific patterns exploited by this vulnerability.
10. What public intelligence references and advisories exist?
The primary public intelligence reference is the CVE identifier: CVE-2024-38475. This CVE was published on July 1, 2024. Additionally, information indicates that active exploits have been published, suggesting the vulnerability is publicly known and actively targeted.
11. What is the risk assessment and urgency level?
The risk assessment for CVE-2024-38475 is Critical, as indicated by its CVSS score of 9.1. The potential impacts include remote code execution and sensitive source code disclosure, both of which are high-severity outcomes. The urgency level is extremely high, as active exploits have been published, meaning attackers are likely attempting to leverage this vulnerability. Immediate patching and mitigation efforts are strongly recommended to protect affected systems.
TypeIndicatorDate
IP
170.245.139.462025-02-04Search on IOC Radar
IP
170.64.167.722023-12-26Search on IOC Radar
IP
167.99.197.342026-06-16Search on IOC Radar
IP
166.62.81.1752026-06-06Search on IOC Radar
IP
165.232.117.2382023-06-01Search on IOC Radar
HOSTNAME
xicomm.com2025-10-22Search on IOC Radar
IP
162.19.252.772025-11-25Search on IOC Radar
TitleSoftware LinkDate
abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoChttps://github.com/abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC2025-05-07
Apache HTTP Server Improper Escaping of Output Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2024-384752025-05-01
soltanali0/CVE-2024-38475https://github.com/soltanali0/CVE-2024-384752024-12-12
mrmtwoj/apache-vulnerability-testinghttps://github.com/mrmtwoj/apache-vulnerability-testing2024-10-05
SOCRadar Logo

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs
Hackers Launch Massive SonicWall Firewall Attack Using 4,000+ IP Addresses - GBHackers News
2026-03-02
Hackers Launch Massive SonicWall Firewall Attack Using 4,000+ IP Addresses - GBHackers News | News Content: Hackers are actively mapping SonicWall firewalls worldwide, launching more than 84,000 SonicOS scanning sessions from over 4,000 unique IP addresses in just four days to identify SSL VPN targets for future credential and vulnerability attacks. Three operationally distinct infrastructure clusters coordinated large-scale VPN enumeration, with 92% of all sessions hitting a single SonicOS REST API endpoint used to check whether SSL VPN is enabled. A commercial proxy network contributed 32% of total traffic by rotating 4,102 exit IPs through two tightly
google.comrssforumnews
CVE-2024-38475 | Apache HTTP Server up to 2.4.59 mod_rewrite access control (Nessus ID 209779 / WID-SEC-2024-1504)
vuldb.com2026-01-04
CVE-2024-38475 | Apache HTTP Server up to 2.4.59 mod_rewrite access control (Nessus ID 209779 / WID-SEC-2024-1504) | A vulnerability classified as critical has been found in Apache HTTP Server up to 2.4.59. Affected by this issue is some unknown functionality of the component mod_rewrite. This manipulation causes improper access controls. This vulnerability appears as CVE-2024-38475. The attack may
vuldb.comrssforumnews
Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor - Google Cloud
2025-07-16
Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor - Google Cloud | News Content: July 16, 2025 Mandiant Google Threat Intelligence Group Mandiant Services Stop attacks, reduce risk, and advance your security. Contact Mandiant Written by: Josh Goddard, Zander Work, Dimiter Andonov UPDATE (Sep 16): Clarified hunting guidance specifics surrounding ld.so.preload files. UPDATE (July 30): Added additional network IOC identified by Sonicwall as being associated with OVERSTEP. Introduction Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile
google.comrssforumnews
Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day
Dhara Shrivastava ([email protected])2025-07-22
Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day |  Cybersecurity experts from Google’s Threat Intelligence Group (GTIG) have uncovered a series of attacks targeting outdated SonicWall Secure Mobile Access (SMA) devices, which are widely used to manage secure remote
blogger.comrssforumnews
USN-6885-5: Apache HTTP Server vulnerabilities
2025-07-21
USN-6885-5: Apache HTTP Server vulnerabilities | USN-6885-1 fixed vulnerabilities in Apache. This update provides the corresponding updates for Ubuntu 14.04 LTS. Original advisory details: Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to handle unsafe substitutions. (CVE-2024-38474, CVE-2024-38475)
ubuntu.comrssforumnews
UNC6148 deploys Overstep malware on SonicWall devices, possibly for ransomware operations
Pierluigi Paganini2025-07-17
UNC6148 deploys Overstep malware on SonicWall devices, possibly for ransomware operations | UNC6148 targets SonicWall devices with Overstep malware, using a backdoor and rootkit for data theft, extortion, or ransomware. Google’s Threat Intelligence Group warns that a threat actor tracked as UNC6148 has been targeting SonicWall SMA appliances with new malware dubbed Overstep. Active since at least October 2024, the group uses a backdoor and user-mode rootkit […] UNC6148 targets SonicWall devices with Overstep malware
securityaffairs.corssforumnews
SonicWall customers hit by fresh, ongoing attacks targeting fully patched SMA 100 devices
Matt Kapko2025-07-16
SonicWall customers hit by fresh, ongoing attacks targeting fully patched SMA 100 devices | Google Threat Intelligence Group said a financially motivated threat group is abusing the outdated remote access VPN devices, underscoring a continued pattern of threats confronting SonicWall customers. The post SonicWall customers hit by fresh, ongoing attacks targeting fully patched SMA 100 devices appeared first on CyberScoop.A financially motivated threat group is attacking
cyberscoop.comrssforumnews
avatar
Defused@DefusedCyber
2026-04-27
⚠️ We are observing heightened activity against SonicWall SMA 100 appliances Multiple IPs have recently hit our honeypot fleet with paired CVE-2024-38475 reads Public PoCs demonstrate the exploit against benign paths, while these operators are reading temp.db and persist.db - https://t.co/Zd72qCaoEN
avatar
BreakGlass Intelligence@BreakGlassIntel
2026-04-10
https://t.co/wXnImmEbp6 runs Apache 2.4.59/66 — 34 known CVEs. CVE-2024-38475 (path traversal in mod_rewrite) is the probable initial access vector. CPUID downloads are clean now. Verified hashes in the full report.
avatar
Hunter@HunterMapping
2025-07-17
🚨Alert🚨 : SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware.Multiple n-day vulnerabilities (CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819) could have been exploited. 📊110K Services are found on the https://t.co/ysWb28BTvF https://t.co/HvpspL2vsM
avatar
ねこさん⚡(ΦωΦ)@catnap707
2025-07-16
SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware https://t.co/tUw62sB67w "the hackers may have exploited CVE-2024-38475 as it provides “local administrator credentials and valid session tokens that UNC6148 could reuse.”"
Configuration 1
TypeVendorProduct
AppApachehttp_server
Configuration 2
TypeVendorProduct
AppNetappontap_9
Configuration 3
TypeVendorProduct
OSSonicwallsma_200_firmware
Configuration 4
TypeVendorProduct
OSSonicwallsma_210_firmware
Configuration 5
TypeVendorProduct
OSSonicwallsma_400_firmware
Configuration 6
TypeVendorProduct
OSSonicwallsma_410_firmware
Configuration 7
TypeVendorProduct
OSSonicwallsma_500v_firmware
ReferenceLink
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/07/01/8
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf
AF854A3A-2127-422B-91AE-364DA2661108https://httpd.apache.org/security/vulnerabilities_24.html
AF854A3A-2127-422B-91AE-364DA2661108https://security.netapp.com/advisory/ntap-20240712-0001/
[email protected]https://httpd.apache.org/security/vulnerabilities_24.html
[email protected]https://security.netapp.com/advisory/ntap-20240712-0001/
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/07/01/8
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf
AF854A3A-2127-422B-91AE-364DA2661108https://httpd.apache.org/security/vulnerabilities_24.html
AF854A3A-2127-422B-91AE-364DA2661108https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018
[email protected]https://httpd.apache.org/security/vulnerabilities_24.html
[email protected]https://security.netapp.com/advisory/ntap-20240712-0001/
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/07/01/8
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf
AF854A3A-2127-422B-91AE-364DA2661108https://httpd.apache.org/security/vulnerabilities_24.html
AF854A3A-2127-422B-91AE-364DA2661108https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018
AF854A3A-2127-422B-91AE-364DA2661108https://security.netapp.com/advisory/ntap-20240712-0001/
[email protected]https://httpd.apache.org/security/vulnerabilities_24.html
[email protected]https://security.netapp.com/advisory/ntap-20240712-0001/
[email protected]https://httpd.apache.org/security/vulnerabilities_24.html
[email protected]https://httpd.apache.org/security/vulnerabilities_24.html
[email protected]https://security.netapp.com/advisory/ntap-20240712-0001/
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/07/01/8
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf
AF854A3A-2127-422B-91AE-364DA2661108https://httpd.apache.org/security/vulnerabilities_24.html
AF854A3A-2127-422B-91AE-364DA2661108https://security.netapp.com/advisory/ntap-20240712-0001/
AF854A3A-2127-422B-91AE-364DA2661108https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227
[email protected]https://httpd.apache.org/security/vulnerabilities_24.html
[email protected]https://security.netapp.com/advisory/ntap-20240712-0001/
CWE IDCWE NameDescription
CWE-116Improper Encoding or Escaping of OutputThe software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.