Rapid7: Active exploitation of Apache HTTP server CVE-2021-40438


On September 16, 2021, Apache released HTTP Server version 2.4.49, which included a fix for CVE-2021-40438, a critical server-side request forgery (SSRF) vulnerability affecting Apache HTTP Server 2.4.48 and versions earlier. The vulnerability resides in mod_proxy and allows remote unauthenticated attackers to force vulnerable HTTP servers to forward requests to arbitrary servers, giving them the ability to obtain or tamper with resources that would otherwise be potentially unavailable.

Since other vendors are integrating HTTP Server into their products, we would expect to see a continuous trickle of downstream notices as third-party software producers update their dependencies. Cisco, for example, is studying more than 20 products that may be affected by CVE-2021-40438, including a number of network infrastructure solutions and security devices. To be usable, CVE-2021-40438 requires mod_proxy to be enabled. It has a CVSSv3 score of 9.0.

Several sources have confirmed that they have seen attempts to exploit CVE-2021-40438 in the wild. As of November 30, 2021, there was still no evidence of widespread attacks, but given the prevalence and typical exposure levels of httpd (and the fact that it is typically clustered in a large ecosystem of products) , its exploitation is likely to continue – and potentially increase. Rapid7 and the community have an analysis of this vulnerability in AttackerKB.

Affected versions

According to Apache advice, all versions of Apache HTTP Server up to 2.4.48 are vulnerable if mod_proxy is used. CVE-2021-40438 is fixed in Apache HTTP Server 2.4.49 and later.

Rapid7 Labs observed over 4 million potentially vulnerable instances of Apache httpd 2.x:

Mitigation guide

Apache HTTP Server versions 2.4.49 and 2.4.50 included other serious vulnerabilities known to be exploited in the wild, so Apache httpd clients should upgrade to the latest version (2.4.51 through at the time of writing) instead of an incremental upgrade.

We recommend that you pay particular attention to firewalls or other product notices related to security limits and prioritize updates for those solutions. NVD’s entry for CVE-2021-40438 includes several notices from downstream vendors.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2021-40438 with authenticated and unauthenticated vulnerability checks.


Get the latest stories, expertise and security news today.



Comments are closed.