Cyber Resilience

CVE-2023-44487

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCDDoSUpdated

Published: 10 October 2023

Published
10 October 2023
Modified
12 May 2026
KEV Added
10 October 2023
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.9439 100.0th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-44487 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and AC-10 (Concurrent Session Control).

Deeper analysis

The vulnerability CVE-2023-44487 is a denial-of-service flaw in the HTTP/2 protocol that stems from rapid request cancellation, which allows an attacker to reset many streams in quick succession and exhaust server resources. It affects any HTTP/2 server implementation that processes such cancellations without sufficient rate limiting or resource controls, and carries a CVSS 3.1 score of 7.5 reflecting high availability impact over a network with no authentication required.

Unauthenticated remote attackers can exploit the issue by sending a flood of HTTP/2 requests followed by immediate RST_STREAM frames, driving up CPU and memory consumption on the target server until it becomes unresponsive. The flaw was actively exploited in the wild between August and October 2023.

Multiple oss-security advisories referenced in the disclosure discuss vendor-specific patches and configuration changes to mitigate stream-reset abuse. The EPSS score has remained near its peak of 0.9450 with a current value of 0.9439, indicating sustained exploitation interest following public release.

EU & UK References

Vulnerability details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CWE(s)
KEV Date Added
10 October 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

siemens
simatic s7-1500 cpu 1518f-4 pn\/dp mfp firmware
≥ 3.1.5
siemens
sinec ins
1.0 · ≤ 1.0
siemens
sinec nms
≤ 3.0
siemens
st7 scadaconnect
≤ 1.1
siemens
ruggedcom ape1808 firmware
all versions
siemens
simatic s7-1500 cpu 1518-4 pn\/dp mfp firmware
≥ 3.1.5
siemens
siplus s7-1500 cpu 1518-4 pn\/dp mfp firmware
≥ 3.1.5
ietf
http
2.0
nghttp2
nghttp2
≤ 1.57.0
netty
netty
≤ 4.1.100
+155 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires mechanisms to protect against denial-of-service attacks that consume server resources via rapid HTTP/2 stream resets.

prevent

Limits the number of concurrent HTTP/2 streams per session, reducing an attacker's ability to trigger mass cancellations.

prevent

Ensures resource availability by prioritizing or throttling allocation during high-volume stream-reset floods.

References