LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CVE DATABASE  /  CVE-2023-44487

CVE-2023-44487

HTTP/2 Rapid Reset Attack Vulnerability

CVSS 7.5 · HIGH ⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog

Confirmed exploited in the wild. Added 2023-10-10. Federal remediation due 2023-10-31.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Summary

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.1 breakdown

Base score7.5 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack vectorNETWORK
Attack complexityLOW
Privileges requiredNONE
User interactionNONE
ScopeUNCHANGED
ConfidentialityNONE
IntegrityNONE
AvailabilityHIGH

Weakness type (CWE)

Affected products

Siemens simatic s7-1500 cpu 1518f-4 pn\/dp mfp firmwareSiemens simatic s7-1500 cpu 1518f-4 pn\/dp mfpSiemens sinec insSiemens sinec nmsSiemens st7 scadaconnectSiemens ruggedcom ape1808 firmwareSiemens ruggedcom ape1808Siemens simatic s7-1500 cpu 1518-4 pn\/dp mfp firmwareSiemens simatic s7-1500 cpu 1518-4 pn\/dpSiemens siplus s7-1500 cpu 1518-4 pn\/dp mfp firmwareSiemens siplus s7-1500 cpu 1518-4 pn\/dp mfpIetf httpNghttp2 nghttp2Netty nettyEnvoyproxy envoyEclipse jettyCaddyserver caddyGolang goGolang http2Golang networking
Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2026-05-12. Always verify against the vendor advisory before acting.

Scroll to Top