Apache 2

The Tenable finding maps to CVE-2024-40898: an SSRF issue in Apache HTTP Server on Windows when mod_rewrite is used in server or vhost context and request-controlled input is fed into rewrite logic. Apache says the vulnerable range is 2.4.0 through 2.4.61 on Windows, fixed in 2.4.62 on 2024-07-17. Successful exploitation can make the server initiate a connection to an attacker-controlled host and leak NTLM credentials/hashes.

The scanner's HIGH label is technically defensible from a pure CVSS lens, but it overshoots real enterprise urgency. This is not generic pre-auth Apache RCE: it is Windows-only, depends on specific unsafe rewrite behavior, and usually needs outbound SMB/UNC reachability plus usable NTLM/relay conditions before the hash leak becomes meaningful business impact.

Why this verdict

• Windows-only cut: start from the vendor HIGH, then push down because this is not the mainstream Apache/Linux exposure set; it only matters on Windows deployments.
• Unsafe rewrite prerequisite: the attacker needs mod_rewrite in server/vhost context to consume untrusted input in a dangerous way. That is a real configuration dependency, not a universal property of all vulnerable versions.
• Hash leak, not box-owning: the immediate impact is NTLM leakage. That can become serious, but only if outbound connectivity and downstream relay/reuse conditions line up.

Why not higher?

There is no strong evidence of active exploitation, no KEV listing, and no direct pre-auth RCE on the web server itself. The chain depends on a narrower deployment subset and then depends again on egress and identity weaknesses to turn disclosure into broader compromise.

Why not lower?

This is still unauthenticated and remote against an Internet-facing service, so it is not backlog fluff. If you do run Apache on Windows with permissive rewrites and weak outbound controls, a simple request can hand an attacker credential material from the web tier.

1. Block outbound SMB from web tiers — Deny TCP/445 and related outbound file-service paths from Apache hosts to the Internet and unneeded internal segments. This directly cuts the NTLM leak/relay chain; for a MEDIUM verdict there is no noisgate mitigation SLA, but this is the highest-value control to apply during normal change windows while you patch.
2. Audit and constrain mod_rewrite — Review server/vhost rewrite rules for any use of request-derived values that can become filesystem or network paths. Replace unsafe patterns with explicit allowlists and literal destinations; again, no mitigation SLA applies for MEDIUM, so do this as part of standard web config review.
3. Reduce NTLM blast radius — Where feasible, disable NTLM, prefer Kerberos, enforce SMB signing, and harden LDAP relay protections on systems reachable from web servers. This does not remove the bug, but it strips most of the downstream payoff if a hash is captured.
4. Watch for outbound auth from Apache hosts — Alert on web servers initiating SMB, WebDAV, or unusual DNS/auth traffic to untrusted destinations. That gives you compensating visibility while you move the host to 2.4.62+ inside the remediation window.

Run this on the target Windows host or through your remote execution platform. Invoke with powershell -ExecutionPolicy Bypass -File .\check-apache-cve-2024-40898.ps1 as a standard user; local admin is helpful for service enumeration but not strictly required.

# check-apache-cve-2024-40898.ps1

# Detect whether a Windows host appears vulnerable to CVE-2024-40898 based on installed Apache httpd version.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0 = VULNERABLE, 1 = PATCHED, 2 = UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Get-ApacheCandidates {
    $paths = New-Object System.Collections.Generic.List[string]

    # Common install paths

    @(
        'C:\Apache24\bin\httpd.exe',
        'C:\Program Files\Apache Group\Apache2\bin\httpd.exe',
        'C:\Program Files\Apache24\bin\httpd.exe',
        'C:\Program Files (x86)\Apache Group\Apache2\bin\httpd.exe',
        'C:\Program Files (x86)\Apache24\bin\httpd.exe'
    ) | ForEach-Object {
        if (Test-Path $_) { [void]$paths.Add($_) }
    }

    # Service image paths

    try {
        $services = Get-CimInstance Win32_Service | Where-Object {
            $_.PathName -match 'httpd\.exe' -or $_.Name -match 'Apache' -or $_.DisplayName -match 'Apache'
        }

        foreach ($svc in $services) {
            $raw = $svc.PathName
            if (-not $raw) { continue }

            # Extract the executable path, handling quoted and unquoted ImagePath values

            $candidate = $null
            if ($raw -match '^"([^"]*httpd\.exe)"') {
                $candidate = $matches[1]
            } elseif ($raw -match '^([^ ]*httpd\.exe)') {
                $candidate = $matches[1]
            }

            if ($candidate -and (Test-Path $candidate)) {
                [void]$paths.Add($candidate)
            }
        }
    } catch {}

    return $paths | Sort-Object -Unique
}

function Get-ApacheVersion([string]$exe) {
    try {
        $output = & $exe -v 2>$null
        if ($LASTEXITCODE -ne 0 -or -not $output) { return $null }
        $text = ($output | Out-String)
        if ($text -match 'Apache\/([0-9]+\.[0-9]+\.[0-9]+)') {
            return [version]$matches[1]
        }
    } catch {}
    return $null
}

$candidates = Get-ApacheCandidates
if (-not $candidates -or $candidates.Count -eq 0) {
    Write-Output 'UNKNOWN: Apache httpd.exe not found in common paths or service configuration.'
    exit 2
}

$vulnMin = [version]'2.4.0'
$vulnFixed = [version]'2.4.62'
$found = $false
$patchedSeen = $false

foreach ($exe in $candidates) {
    $ver = Get-ApacheVersion -exe $exe
    if (-not $ver) { continue }
    $found = $true

    if ($ver -ge $vulnMin -and $ver -lt $vulnFixed) {
        Write-Output ("VULNERABLE: {0} reports Apache {1}, which is below 2.4.62 on Windows." -f $exe, $ver)
        exit 0
    }

    if ($ver -ge $vulnFixed) {
        $patchedSeen = $true
    }
}

if ($patchedSeen) {
    Write-Output 'PATCHED: Detected Apache httpd version is 2.4.62 or later.'
    exit 1
}

if ($found) {
    Write-Output 'UNKNOWN: Apache was found, but the version could not be evaluated cleanly.'
    exit 2
}

Write-Output 'UNKNOWN: No usable Apache version information was obtained.'
exit 2

Sources

1. Apache HTTP Server 2.4 vulnerabilities advisory
2. NVD CVE-2024-40898
3. Tenable Nessus plugin 210450
4. CISA Known Exploited Vulnerabilities Catalog
5. FIRST EPSS API documentation
6. Censys advisory for CVE-2024-40725 & CVE-2024-40898
7. Public GitHub repo referenced as PoC/scanner