A path traversal vulnerability and exploit just dropped in the wild for a specific version of Apache (Apache/2.4.49). This vulnerability allows an unauthenticated attacker to execute a path traversal attack (and now shown RCE if MOD_CGI is enabled) to read files outside of the virtual directory path bounds. This only affects a single version of Apache, there’s a fair few of these online, however it’s very unlikely all are vulnerable. The vulnerability requires specific permissions to be configured.

A screenshot of a video game

Description automatically generated with medium confidence

Vulnerability Information

How to determine the version of Apache2

From a terminal/ssh connection run:

apache2 -v

Deploy Honeypot for specific version of Apache on Ubuntu

Ok this is a fast throw together deployment.

sudo apt-get install build-essential

sudo apt install zlibc

sudo apt-get install libapr1-dev libaprutil1-dev

sudo apt-get install libpcre3-dev

sudo apt install zlib1g zlib1g-dev


tar -xvf zlib-1.2.11.tar.gz

cd zlib-1.2.11/

./configure --prefix=/usr/local


sudo make install


tar -xvf httpd-2.4.49.tar.gz

cd httpd-2.4.49/

./configure --prefix=/usr/local/apache2 --enable-mods-shared=all --enable-deflate --enable-proxy --enable-proxy-balancer --enable-proxy-http


sudo make install

#edit /usr/local/apache2/conf

sudo /usr/local/apache2/bin/apachectl start

Creating the vulnerable config


Description automatically generated

Enable MOD CGI for RCE Vuln Enablement


The following is an example of the exploit:

You will see that you can read files that the Apache context has access to. Now this changes the attack surface, so you shouldn’t be able to read /etc/shadow

But you might be able to read web config files and other insecure credentials etc.


if MOD_CGI is enabled a POST request will actually be parsed an executed:

curl –data “A=|id>>/tmp/x;uname\$IFS-a>>/tmp/x” ‘’ -vv

You can confirm this by cat /tmp/x

This was found by HackerFantastic


You can find POC’s online, Andy put together a python POC here:

There’s also a Nuceli template (thanks

Access Logs

tail -f /usr/local/apache2/logs/access_log


Follow the vendor guidance and update to the latest version of Apache is a good idea, also sensible to check your access logs for IOCs.


Now that’s the bare bones. We would want to deploy more for a believable honeypot with https and an actual site but I’m just knocking this up quickly. We also need to sort out backup, recovery, and log shipping so it’s not a 10 second job to make a real-life pot for deep data analysis. The path traversal vulnerability really is likely to expose application areas or provide access to username enumeration and other sensitive information disclosure that might aid an attacker target the application of other services such as SSH from what I can see. It’s still interesting and show’s vulnerabilities can easily be introduced and re-introduced into systems.

If mod_cgi is enabled and there is RCE potential that’s a much worse position to be in, this would make the vulnerability CRITICAL.

Leave a Reply