SecurityScorecard Advisory: Apache HTTP Server Improper Escaping of Output Vulnerability (CVE-2024-38475) Added to CISA KEV

CVE-2024-38475 is a vulnerability affecting Apache HTTP Servers with a CVSS score of 9.1.  By sending specially crafted HTTP requests, this flaw allows remote attackers to retrieve sensitive files on the target machine.  As described by watchTowr Labs and Orange Tsai in their blogs (https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-sonicwall-sma100-cve-2023-44221-cve-2024-38475/, and https://blog.orange.tw/posts/2024-08-confusion-attacks-en/), this vulnerability isn’t difficult to exploit.

On May 1, 2025, this vulnerability was added to CISA’s list of Known Exploited Vulnerabilities (CISA-KEV).

• Severity Critical
• Impact Critical impact (Severe disruption or halted operations, potential for severe material loss)
• Action: Immediate investigation: Implement Patch or update to version 2.4.60

SecurityScorecard’s Attack Surface Intelligence has found around 3.91 million IPs that are potentially vulnerable to this CVE.