Skip to main content

Proof-of-Concept Exploit Released for CVE-2024-40725 in Apache HTTP Server

CVE-2024-40725 could lead to source code disclosure of local scripts running on the server

Threat ID:
CC-4599
Threat Severity:
Medium
Published:
3 January 2025 2:35 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2024-40725 could lead to source code disclosure of local scripts running on the server

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 2.4.62

Apache HTTP Server

Threat details

Proof-of-concept exploit for CVE-2024-40725

A public proof-of-concept (PoC) exploit is available for CVE-2024-40725. Exploitation is considered more likely.

Introduction

The Apache Software Foundation has released an update to HTTP Server (sometimes known as 'httpd') to address vulnerability CVE-2024-40725.

On 03 July 2024, Apache issues a security bulletin to address CVE-2024-39884, which is a source code disclosure vulnerability. If exploited, CVE-2024-39884 could allow an attacker to read the source code of scripts running on the server.

On 17 July 2024, Apache issued a second bulletin to address CVE-2024-40725 which has a CVSSv3 score of 5.3, advising that the previous mitigation for CVE-2024-39884 was incomplete. A PoC exploit has been released publicly for CVE-2024-40725. 

Remediation advice

Affected organisations are encouraged to review the release notes for Apache HTTP Server 2.4.62 on the Apache HTTP Server 2.4 vulnerabilities webpage and apply any relevant updates. 

Last edited: 3 January 2025 2:35 pm