CVE-2025-59775 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Apache HTTP Server software maintained by the Apache Software Foundation. This vulnerability specifically affects Windows deployments of Apache HTTP Server when two configuration directives are set: AllowEncodedSlashes On and MergeSlashes Off. SSRF vulnerabilities allow an attacker to induce the server to make HTTP requests to arbitrary locations, potentially internal or external to the network. In this case, the crafted malicious requests exploit the server's handling of encoded slashes and merged slashes in URLs to cause the server to forward NTLM authentication hashes to an attacker-controlled server. NTLM hashes are sensitive credentials used in Windows authentication protocols; their leakage can enable attackers to perform relay attacks or offline cracking to impersonate legitimate users. The vulnerability affects Apache HTTP Server versions starting from 2.4.0 and was publicly disclosed on December 5, 2025. Although no exploits are currently known in the wild, the vulnerability poses a significant risk due to the widespread use of Apache HTTP Server in enterprise environments and the critical nature of NTLM credentials. The Apache Software Foundation has addressed this issue in version 2.4.66. The vulnerability is tracked under CWE-918, which covers SSRF issues. The absence of a CVSS score requires an assessment based on the impact on confidentiality (credential leakage), integrity (potential impersonation), and availability (indirect impact). The attack does not require user interaction but does require specific server configurations and Windows platform deployment.

The primary impact of CVE-2025-59775 is the potential leakage of NTLM authentication hashes from vulnerable Apache HTTP Servers running on Windows. For European organizations, this can lead to significant security risks including credential theft, unauthorized access, lateral movement within networks, and potential full compromise of internal systems. Organizations relying on NTLM authentication, common in many legacy and hybrid Windows environments, are particularly vulnerable. The exposure of NTLM hashes can facilitate relay attacks or offline cracking, enabling attackers to impersonate users and escalate privileges. This can compromise sensitive data confidentiality and integrity, disrupt business operations, and damage organizational reputation. Additionally, the SSRF nature of the vulnerability could allow attackers to pivot into internal networks that are otherwise inaccessible externally, increasing the attack surface. The lack of known exploits in the wild suggests a window for proactive mitigation, but the widespread deployment of Apache HTTP Server in European public and private sectors elevates the risk profile. The impact is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government.

To mitigate CVE-2025-59775, European organizations should take the following specific actions: 1) Immediately upgrade all Apache HTTP Server instances running on Windows to version 2.4.66 or later, where the vulnerability is patched. 2) Review and adjust server configurations to avoid using AllowEncodedSlashes On and MergeSlashes Off simultaneously unless absolutely necessary; consider disabling AllowEncodedSlashes or enabling MergeSlashes to reduce risk. 3) Implement network segmentation and firewall rules to restrict outbound HTTP requests from web servers to only trusted destinations, limiting SSRF exploitation potential. 4) Monitor server logs for unusual outbound requests or authentication attempts that could indicate exploitation attempts. 5) Employ NTLM authentication alternatives such as Kerberos where feasible to reduce reliance on NTLM hashes. 6) Conduct internal vulnerability scans and penetration tests focusing on SSRF vectors and NTLM hash exposure. 7) Educate system administrators about the risks of SSRF and the importance of secure Apache HTTP Server configurations. 8) Maintain up-to-date incident response plans to quickly address any detected exploitation attempts. These steps go beyond generic advice by focusing on configuration review, network controls, and authentication protocol improvements tailored to this vulnerability.