How to fix EUVD-2025-201394?

Within 24 hours: Identify all Apache HTTP Server instances on Windows with AllowEncodedSlashes On and MergeSlashes Off configurations using asset inventory and configuration management tools; isolate or restrict external access to affected servers. Within 7 days: Implement WAF rules to block encoded slash requests and monitor for suspicious outbound connections; disable AllowEncodedSlashes or enable MergeSlashes on all affected systems if business requirements permit. Within 30 days: Upgrade to Apache HTTP Server 2.4.66 or later; validate patch deployment across all instances and conduct security testing.

Is Ubuntu affected by EUVD-2025-201394?

Apache HTTP Server installations on Windows with specific configurations are vulnerable to credential theft through SSRF attacks, potentially exposing NTLM authentication hashes to unauthorized parties.

EUVD-2025-201394

| CVE-2025-59775 HIGH

2025-12-05 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201394

CVE Published

Dec 05, 2025 - 11:15 nvd

HIGH 7.5

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Analysis

Server-Side Request Forgery (SSRF) vulnerability

in Apache HTTP Server on Windows

with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Technical Context

Server-Side Request Forgery allows an attacker to induce the server to make HTTP requests to arbitrary destinations, including internal services. This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918).

Affected Products

Affected products: Apache Http Server

Remediation

Validate and whitelist allowed URLs and IP ranges. Block requests to internal/private IP ranges. Use network segmentation to limit server-side request scope.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

Vendor Status

Ubuntu

Priority: Medium

apache2

Release	Status	Version
upstream	not-affected	debian: Only affects Apache on Windows
bionic	not-affected	windows only
focal	not-affected	windows only
jammy	not-affected	windows only
noble	not-affected	windows only
plucky	not-affected	windows only
questing	not-affected	windows only
trusty	not-affected	windows only
xenial	not-affected	windows only

Debian

apache2

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.4.62-1~deb11u1	-
bullseye (security)	fixed	2.4.66-1~deb11u1	-
bookworm	fixed	2.4.66-1~deb12u1	-
bookworm (security)	fixed	2.4.62-1~deb12u2	-
trixie	fixed	2.4.66-1~deb13u2	-
forky, sid	fixed	2.4.66-8	-
(unstable)	not-affected	-	-

EUVD-2025-201394 vulnerability details – vuln.today

Back

EUVD-2025-201394

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-201394

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code