Organizations are advised to patch their Apache HTTP servers against a server-side request forgery (SSRF) vulnerability, which is being actively exploited by hackers.

Tracked as CVE-2021-40438, the bug resides within the mod_proxy module in Apache HTTP Server and can be exploited remotely to perform SSRF attacks by sending a specially crafted HTTP request with a chosen uri-path and tricking the web server to initiate requests to arbitrary systems.

The vulnerability affects version 2.4.48 and earlier, and it was fixed in mid-September with the release of version 2.4.49.

“By sending a specially crafted request, attackers can force the mod_proxy module (if enabled) to route connections to an origin server of their choice — thereby allowing attackers to exfiltrate secrets (like infrastructure metadata or keys) or access other internal servers (which may be less protected than externally facing ones),” cloud services provider Fastly explained.

The vulnerability was publicly disclosed in September 2021, and since then several proof-of-concept exploits for CVE-2021-40438 have been published. Now, the networking giant Cisco and Germany’s Federal Office for Information Security (BSI) are warning of attacks exploiting this bug.

“In November 2021, the Cisco PSIRT became aware of exploitation attempts of the vulnerability identified by CVE ID CVE-2021-40438,” Cisco said in a security advisory.

An advisory issued by BSI says that the agency is aware of at least one attack, exploiting CVE-2021-40438.

“The BSI is aware of at least one case in which an attacker was able to do so through exploitation the vulnerability to obtain hash values of user credentials from the victim’s system. The vulnerability affects all versions of Apache HTTP Server 2.4.48 or older,” Germany's federal cybersecurity watchdog said.