Cyber Resilience

CVE-2022-34701

HighDDoS

Published: 09 August 2022

Published
09 August 2022
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1640 95.0th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-34701 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Microsoft Windows 10. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Windows Secure Socket Tunneling Protocol (SSTP) in affected Windows versions is subject to a denial-of-service vulnerability tracked as CVE-2022-34701. The flaw is characterized by CWE-400 and carries a CVSS 3.1 score of 7.5, reflecting a remotely exploitable condition that requires no authentication or user interaction and produces a high impact on availability while leaving confidentiality and integrity unaffected.

An unauthenticated attacker with network access can send specially crafted requests to an SSTP server, triggering the denial-of-service condition and disrupting VPN connectivity for legitimate users. Because the attack vector is network-reachable and requires no privileges, the exposure applies to any internet-facing or internally reachable Windows system running the SSTP service.

Microsoft’s advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34701 supplies the official patch matrix and mitigation guidance, directing administrators to apply the security update corresponding to their Windows release. The EPSS score reached a peak of 0.1953 and currently stands at 0.1640, indicating measurable post-disclosure interest in the issue.

EU & UK References

Vulnerability details

Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10
1607, 1809, 20h2, 21h1, 21h2
microsoft
windows 11
all versions
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
20h2, all versions
microsoft
windows server 2019
all versions
microsoft
windows server 2022
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-400

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

addresses: CWE-400

Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.

addresses: CWE-400

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

addresses: CWE-400

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

addresses: CWE-400

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

addresses: CWE-400

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

addresses: CWE-400

The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.

addresses: CWE-400

Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.

References