Apache HTTP Server Project CVE-2021-41773 Vulnerability Actively Exploited in the Wild

The vulnerability tracked as CVE-2021-41773 is a path traversal and file disclosure vulnerability in Apache HTTP Server. The vulnerability has been exploited in the wild as a zero-day.
Updated on
April 19, 2023
Published on
October 6, 2021
Subscribe to the latest industry news, threats and resources.


Vulnerability Intelligence

Vulnerability Class

Path Traversal, File Disclosure



CVSS:3.0 Score







Executive Summary

  • CloudSEK’s Threat Intelligence team discovered a post, on a cybercrime forum, describing the newly identified path traversal and file disclosure vulnerability, CVE-2021-41773, in Apache HTTP Server.
  • The Apache HTTP Server Project is an open-source HTTP server for operating systems including UNIX and Windows. 
  • This vulnerability is being actively exploited in the wild and has affected only version 2.4.49 of the server.
  • Apache recently released an advisory[-1-] about the same, along with a patch in version 2.4.50 of the Server.
  • Threat actors can exploit this vulnerability to poison server logs to carry out remote code execution and/ or exfiltrate sensitive data. 
  • A new group of Chinese hackers are targeting high ranking officials in Southeast Asia by exploiting vulnerabilities in Apache, Oracle, MS Exchange, etc.
[caption id="attachment_18032" align="alignnone" width="1204"] A threat actor’s post describing CVE-2021-41773 on a cybercrime forum[/caption]


  • Apache HTTP Server is one of the most widely used server software around the world. The vulnerability tracked as CVE-2021-41773 is a path traversal and file disclosure vulnerability in Apache HTTP Server which is being exploited in the wild, as a zero-day.
  • This active exploitation necessitated the release of an expedited patch by Apache, on 05 October 2021.
  • According to the advisory issued by Apache, “An attacker could use a path traversal attack to map URLs to files outside the expected document root.”
  • This problem arises from a flaw in how the Apache server converts between multiple URL path schemes, often known as path normalization. Normalizing a path is the process where the coder modifies the string that identifies a path or a file, so that it conforms to a valid path on the target operating system.
  • Successful exploitation of this vulnerability would give a remote attacker access to arbitrary files outside of the document root on the vulnerable web server. 
  • According to the advisory, this flaw could also leak “the source of interpreted files like CGI scripts” which may contain sensitive information that attackers can exploit for further attacks.

Information from Open source

According to a Shodan search, at the time this report was created, there were 112,756 vulnerable versions of the Apache HTTP Server active on the internet.

A Shodan search shows that there are 112,756 vulnerable versions of Apache HTTP server active on the internet at the time this report was written.

Impact & Mitigation

  • Attackers could use a path traversal attack to map URLs to files outside the expected document root and access sensitive files, passwords, etc.
  • This flaw could leak the source of interpreted files such as CGI scripts. 
  • This vulnerability could even lead to an RCE (Remote code execution) attack by poisoning server logs.
  • RCE can lead to devastating attacks including but not limited to Ransomware campaigns. 
  • Immediately update Apache HTTP Server to the patched version 2.4.50.



[-1-] - Advisory issued by Apache for the vulnerabilities in Apache HTTP Server version 2.4

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations