CVE-2024-43394

HIGH

CVSS v3

7.5

HIGH

EPSS Score

0.1%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note:  The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC

Technical Details

CVSS v3 Vector
3.1
Published
7/10/2025
Last Modified
11/4/2025

Frequently Asked Questions

What is CVE-2024-43394?

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note:  The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC

Is CVE-2024-43394 actively exploited?

Active exploitation of CVE-2024-43394 has not been confirmed. The EPSS score is 0.1%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2024-43394?

CVE-2024-43394 has a CVSS v3 base score of 7.5 (HIGH severity), with vector string 3.1.

Is CVE-2024-43394 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.