Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Crowdstrike 320×100
TM RedHotCyber 970x120 042543
Apache HTTP Server Update Fixes Critical Security Vulnerabilities

Apache HTTP Server Update Fixes Critical Security Vulnerabilities

5 December 2025 09:23

The Apache Software Foundation has released a significant update for its popular Apache HTTP Server , addressing a total of five separate security vulnerabilities. Administrators are recommended to apply this update as soon as possible to ensure their web infrastructure is protected against the identified vectors.

The newly released version 2.4.66 represents a comprehensive fix for issues including both infinite loops during certificate renewal and possible NTLM credential leaks on Windows operating systems.

Two of the identified vulnerabilities, rated “moderate,” pose specific risks to shared hosting configurations using suexec and Windows environments, while the remaining three are labeled “low” severity.

Among the most significant fixes in this update is CVE-2025-59775, a server-side request forgery ( SSRF ) vulnerability affecting Apache HTTP Server running on Windows. This vulnerability, rated moderate in severity, occurs due to the interaction between the AllowEncodedSlashes On and MergeSlashes Off settings.

According to the release note, this configuration “potentially allows NTLM hashes to be leaked to a malicious server via SSRF and malicious requests or content.” This could allow attackers to harvest credentials from the server environment, making this a priority patch for Windows administrators.

The second moderate-severity flaw, CVE-2025-66200, involves the interaction between mod_userdir and suexec . This vulnerability allows a workaround via the AllowOverride FileInfo directive. The report notes that “users with access to the RequestHeader directive in htaccess can cause certain CGI scripts to run with an unexpected user ID.” This effectively breaks the intended isolation of the suexec functionality, which is critical for security in multi-user environments.

The update resolves three additional minor issues that, while less critical, could disrupt operations or create unexpected behavior:

  • Infinite Loop (CVE-2025-55753): A bug in mod_md (ACME) can cause an overflow during failed certificate renewals. This creates a potential resource exhaustion scenario.
  • Query String Issue (CVE-2025-58098): Affects servers using Server Side Includes (SSI) with mod_cgid. The warning states that the server “passes the shell-escaped query string to the #exec cmd=’…’ directives.”
  • Variable Override (CVE-2025-65082): This flaw affects “variables set via Apache configuration that unexpectedly override server-calculated variables for CGI programs.”

Users are advised to update to version 2.4.66 , which fixes the issue.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

  • #cybersecurity
  • Apache 2.4.66
  • Apache HTTP Server
  • NTLM
  • patch management
  • Security Update
  • server security
  • ssrf
  • vulnerability patch
  • web server update
Immagine del sito
Redazione

The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.