Urgent: SSRF Vulnerability in Apache HTTP Server on Windows Could Leak NTLM Hashes (CVE-2025-59775)

Overview

A critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2025-59775, has been discovered in Apache HTTP Server running on Windows operating systems. This vulnerability exists under specific configurations, namely when AllowEncodedSlashes is set to On and MergeSlashes is set to Off. Exploitation of this vulnerability could allow a malicious actor to potentially leak NTLM hashes to a server controlled by the attacker via crafted requests or malicious content.

Technical Details

The vulnerability arises due to improper handling of encoded slashes when the aforementioned configuration settings are enabled. When AllowEncodedSlashes On is configured, the server permits encoded slashes (e.g., %2f for /) within the URL path. With MergeSlashes Off, the server does not collapse multiple consecutive slashes into a single slash. A malicious request crafted using these features can potentially trick the server into making requests to internal or external resources controlled by the attacker. On Windows, this SSRF can be leveraged to trigger NTLM authentication against the attacker’s server, thus revealing the user’s NTLM hash.

CVSS Analysis

Currently, a CVSS score is not available for CVE-2025-59775. However, given the potential for NTLM hash leakage and the ease of exploitation under the specified configurations, the severity is likely to be rated as High or Critical upon further analysis.

Possible Impact

Successful exploitation of this SSRF vulnerability can have significant consequences, including:

• NTLM Hash Leakage: The primary risk is the exposure of NTLM hashes, which can be cracked offline, allowing attackers to impersonate users and gain unauthorized access to systems and resources.
• Data Exfiltration: An attacker could potentially use the server to access and exfiltrate sensitive data from internal resources.
• Internal Port Scanning: The server could be used to scan internal networks and identify vulnerable services.
• Denial of Service (DoS): In some cases, SSRF vulnerabilities can be exploited to cause denial-of-service conditions.

Mitigation and Patch Steps

The recommended course of action is to upgrade your Apache HTTP Server installation to version 2.4.66 or later. This version contains a fix for CVE-2025-59775.

If upgrading is not immediately feasible, consider the following temporary mitigations:

• Disable AllowEncodedSlashes: If possible, set AllowEncodedSlashes to Off in your Apache configuration. This will prevent the server from processing encoded slashes in URLs. Note that this may break some applications that rely on this functionality.
• Enable MergeSlashes: Setting MergeSlashes to On will collapse multiple slashes into a single slash, reducing the attack surface.
• Network Segmentation: Limit the server’s access to internal resources to only what is strictly necessary.
• Monitor Network Traffic: Implement network monitoring to detect and respond to suspicious outbound requests originating from the Apache HTTP Server.

References

• Apache HTTP Server Vulnerabilities (v2.4)
• [oss-security] CVE-2025-59775: Apache HTTP Server SSRF Vulnerability