CVE-2025-59775 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, impacting Apache HTTP Server versions 2.4.0 on Windows systems. The vulnerability arises specifically when the server configuration enables AllowEncodedSlashes On and disables MergeSlashes (MergeSlashes Off). Under these conditions, an attacker can send crafted HTTP requests that cause the server to make unintended requests to internal or external resources. This SSRF can be exploited to leak NTLM authentication hashes by forcing the server to authenticate against a malicious server controlled by the attacker. The leakage of NTLM hashes poses a significant risk as these hashes can be used in relay attacks or offline cracking attempts, potentially leading to unauthorized access and privilege escalation within the targeted network. The vulnerability is remotely exploitable without requiring any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and the high impact on confidentiality. The Apache Software Foundation has addressed this vulnerability in Apache HTTP Server version 2.4.66, and users are urged to upgrade to this or later versions to mitigate the risk. No public exploits or active exploitation have been reported to date, but the potential impact warrants immediate attention.

For European organizations, this vulnerability poses a significant threat to the confidentiality of authentication credentials, particularly NTLM hashes, which are widely used in Windows-based environments. Successful exploitation could enable attackers to perform credential relay or cracking attacks, leading to unauthorized access to internal systems and sensitive data. This could disrupt business operations, compromise customer data, and damage organizational reputation. Given the widespread use of Apache HTTP Server in European enterprises and public sector institutions, especially on Windows platforms, the risk of lateral movement and internal network compromise is substantial. Organizations in sectors such as finance, government, healthcare, and critical infrastructure, which rely heavily on Windows authentication and Apache HTTP Server, are particularly at risk. The vulnerability does not impact integrity or availability directly but can serve as a stepping stone for more severe attacks. The absence of required authentication and user interaction makes it easier for attackers to exploit remotely, increasing the urgency for mitigation.

European organizations should immediately verify if their Apache HTTP Server deployments on Windows are configured with AllowEncodedSlashes On and MergeSlashes Off, as this combination enables the vulnerability. The primary mitigation is to upgrade Apache HTTP Server to version 2.4.66 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, organizations should consider temporarily disabling AllowEncodedSlashes or enabling MergeSlashes to mitigate the risk. Network-level controls such as restricting outbound HTTP requests from the server to untrusted or external networks can reduce the attack surface. Monitoring and logging HTTP requests for suspicious patterns indicative of SSRF attempts should be implemented. Additionally, organizations should review NTLM authentication usage and consider deploying multi-factor authentication and network segmentation to limit the impact of potential credential compromise. Regular vulnerability scanning and penetration testing should include checks for this SSRF condition. Finally, educating security teams about SSRF risks and response procedures will improve detection and incident handling.