CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2021-44228
9.895.63%

Apache's Billion-Dollar Mistake: How One Line of Code Opened the Web's Front Door

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 3, 2026·8 min read·5 visits

Active ExploitationCISA KEV Listed

Executive Summary (TL;DR)

A botched path normalization change in Apache 2.4.49 allowed attackers to read any file on the server using a simple URL-encoded trick (`.%2e/`). If `mod_cgi` was enabled, this file-read bug became a full-blown RCE, allowing attackers to execute commands as the web server's user. It was a 0-day for a short period and highlights the danger of 'improving' security-critical code without rigorous testing.

CVE-2021-41773 is a critical path traversal vulnerability discovered in Apache HTTP Server version 2.4.49. A flawed change in path normalization logic allowed unauthenticated attackers to map URLs to files outside the expected document root. If CGI scripts were also enabled, this vulnerability could be trivially escalated to achieve remote code execution. The bug was introduced and fixed in rapid succession, but not before being actively exploited in the wild, serving as a stark reminder of how fragile core internet infrastructure can be.

Official Patches

Apache Software FoundationOfficial Apache advisory for CVE-2021-41773
UbuntuUbuntu Security Notice USN-5093-1

Fix Analysis (1)

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
95.63%
Top 4% most exploited

Affected Systems

Apache HTTP Server

Affected Versions Detail

Product
Affected Versions
Fixed Version
Apache HTTP Server
Apache Software Foundation
2.4.492.4.50
AttributeDetail
CWE IDCWE-22
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
CVSS Score9.8 (Critical for RCE scenario)
ImpactArbitrary File Disclosure, Remote Code Execution
Exploit StatusActive Exploitation
KEV StatusYes, added 2021-10-07

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059Command and Scripting Interpreter
Execution
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Known Exploits & Detection

GitHubPublic Proof-of-Concept script for CVE-2021-41773 demonstrating both LFI and RCE.
Exploit-DBApache 2.4.49 - Path Traversal & Remote Code Execution (RCE)

Vulnerability Timeline

Apache HTTP Server 2.4.49 released, introducing the vulnerability.
2021-09-15
Vulnerability disclosed and patch released in version 2.4.50.
2021-10-04
Public PoC exploits and active scanning in the wild are detected.
2021-10-05
A bypass for the patch is discovered (CVE-2021-42013). Apache releases version 2.4.51.
2021-10-07
CVE-2021-41773 added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
2021-10-07

References & Sources

  • [1]NVD - CVE-2021-41773
  • [2]MITRE - CVE-2021-41773
  • [3]CISA Known Exploited Vulnerabilities Catalog
  • [4]Sonatype Blog: Analysis of the Apache vulnerability and its botched patch
Related Vulnerabilities
CVE-2021-42013CVE-2021-41773

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.