Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
TM RedHotCyber 320x100 042514
HackTheBox 970x120 1
Apache HTTP Server Update Fixes Critical Security Vulnerabilities

Apache HTTP Server Update Fixes Critical Security Vulnerabilities

5 December 2025 09:23

The Apache Software Foundation has released a significant update for its popular Apache HTTP Server , addressing a total of five separate security vulnerabilities. Administrators are recommended to apply this update as soon as possible to ensure their web infrastructure is protected against the identified vectors.

The newly released version 2.4.66 represents a comprehensive fix for issues including both infinite loops during certificate renewal and possible NTLM credential leaks on Windows operating systems.

Two of the identified vulnerabilities, rated “moderate,” pose specific risks to shared hosting configurations using suexec and Windows environments, while the remaining three are labeled “low” severity.

Among the most significant fixes in this update is CVE-2025-59775, a server-side request forgery ( SSRF ) vulnerability affecting Apache HTTP Server running on Windows. This vulnerability, rated moderate in severity, occurs due to the interaction between the AllowEncodedSlashes On and MergeSlashes Off settings.

According to the release note, this configuration “potentially allows NTLM hashes to be leaked to a malicious server via SSRF and malicious requests or content.” This could allow attackers to harvest credentials from the server environment, making this a priority patch for Windows administrators.

The second moderate-severity flaw, CVE-2025-66200, involves the interaction between mod_userdir and suexec . This vulnerability allows a workaround via the AllowOverride FileInfo directive. The report notes that “users with access to the RequestHeader directive in htaccess can cause certain CGI scripts to run with an unexpected user ID.” This effectively breaks the intended isolation of the suexec functionality, which is critical for security in multi-user environments.

The update resolves three additional minor issues that, while less critical, could disrupt operations or create unexpected behavior:

  • Infinite Loop (CVE-2025-55753): A bug in mod_md (ACME) can cause an overflow during failed certificate renewals. This creates a potential resource exhaustion scenario.
  • Query String Issue (CVE-2025-58098): Affects servers using Server Side Includes (SSI) with mod_cgid. The warning states that the server “passes the shell-escaped query string to the #exec cmd=’…’ directives.”
  • Variable Override (CVE-2025-65082): This flaw affects “variables set via Apache configuration that unexpectedly override server-calculated variables for CGI programs.”

Users are advised to update to version 2.4.66 , which fixes the issue.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.