Threat Response: Vulnerability in Apache HTTP Server 2.4.49



On Monday October 4th, The Apache Software Foundation released a patch for a vulnerability that was assigned CVE-2021-41773 [1]. The vulnerability allows attackers to read files outside of the webroot, which could lead to sensitive files being exposed to the internet. In some configurations (usually with CGI), this could lead to Remote Code Execution.

The vulnerability was discovered by the cPanel Security team on the 29th of September 2021. The only vulnerable version is Apache 2.4.49. Apache patched the vulnerability on October 4th. The NCSC classified this vulnerability as HIGH/HIGH [2].


The flaw lies in how Apache handles path normalization. When a specially crafted web request is sent to the webserver, Apache will disclose files that are outside of the webroot.


Successful exploitation allows an attacker to access files outside the document root. Under certain conditions this can result in remote code execution.

Therefore, we assess the impact as high.


This vulnerability is currently exploited in the wild. Therefore, we assess the risk as high.


Update your Apache webserver to the latest version, which is 2.4.50.

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.





Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.