$
research-item
--score 100 --exploit active
Exploit-DB: HTTP/2 2.0 - Denial Of Service (DOS)
Research page generated from configured evidence sources. Treat this as an analyst workbench: facts are sourced, gaps are labelled, and low-confidence chatter is separated from confirmed evidence.
Executive judgement
- Operational lane: review now
- Priority score: 100
- Confidence: high
- Exploit status: active — Active exploitation signal observed in configured sources.
- Urgent publishable: yes
- CISA KEV: Confirmed in CISA KEV from configured source data.
- Published/observed: 2023-11-16
- EPSS score: 1.0000 (100th percentile)
What happened
HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Why it matters
- The item was promoted because the pipeline observed: priority score 100, exploit status active, confidence high.
- It has a CVE identifier, so it can be tracked across NVD/CVE.org/vendor/exploit sources.
- No PoC signal was detected by the current pipeline unless shown elsewhere on this page.
Evidence collected
- NVD: nvd
- CISA KEV: cisa_kev
- EXPLOITDB: Exploit-DB: HTTP/2 2.0 - Denial Of Service (DOS)
Exploitation and PoC status
- Current automated assessment: Active exploitation signal observed in configured sources.
- Public exploit/PoC: No PoC source captured yet by the configured pipeline.
- Exploited in the wild: Configured sources contain active exploitation language.
- Ransomware association: No ransomware association captured at generation time.
Publication / validation flags
- No validation flags from configured gates.
Dark web / low-confidence chatter
- AlienVault OTX pulse: From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware
- AlienVault OTX pulse: Bluekit Phishing as a Service (PhaaS)
- AlienVault OTX pulse: Attackers Weaponize Microsoft Teams Relays to Stay Hidden
Defender actions
- Update HTTP/2 implementations per vendor guidance
- Deploy DDoS mitigation for rapid reset traffic
- Monitor logs for anomalous HTTP/2 resets
Analyst note
Confirmed KEV status and active exploit mean defenders must treat this as in-the-wild. Public PoC increases accessibility for attackers. Prioritize HTTP/2 exposure review and DDoS controls now.
Defender / Sentinel hunting queries
MDE exposure: devices with CVE-2023-44487
Find devices where Microsoft Defender Vulnerability Management reports the CVE.
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2023-44487"
| project DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, LastSeenTime
| order by VulnerabilitySeverityLevel desc, LastSeenTime desc
MDE endpoint behaviour hunt
General endpoint hunt for named tooling, malware, or exploit artefacts from the research item. Tune terms with vendor IOCs.
DeviceProcessEvents
| where Timestamp > ago(14d)
| where ProcessCommandLine has "Exploit-DB" or FileName has "Exploit-DB" or FolderPath has "Exploit-DB" or ProcessCommandLine has "HTTP" or FileName has "HTTP" or FolderPath has "HTTP" or ProcessCommandLine has "Denial" or FileName has "Denial" or FolderPath has "Denial" or ProcessCommandLine has "Service" or FileName has "Service" or FolderPath has "Service" or ProcessCommandLine has "rapid" or FileName has "rapid" or FolderPath has "rapid"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
MDE file artefact hunt
Hunt for suspicious files dropped or modified during exploitation of this vulnerability.
DeviceFileEvents
| where Timestamp > ago(14d)
| where FileName has "Exploit-DB" or FolderPath has "Exploit-DB" or InitiatingProcessCommandLine has "Exploit-DB" or FileName has "HTTP" or FolderPath has "HTTP" or InitiatingProcessCommandLine has "HTTP" or FileName has "Denial" or FolderPath has "Denial" or InitiatingProcessCommandLine has "Denial" or FileName has "Service" or FolderPath has "Service" or InitiatingProcessCommandLine has "Service" or FileName has "rapid" or FolderPath has "rapid" or InitiatingProcessCommandLine has "rapid"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, FileSize
| order by Timestamp desc
MDE registry persistence and tamper hunt
Hunt for suspicious registry modifications (persistence, service installs, config tampering) linked to this issue.
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has_any ("Run", "RunOnce", "Services", "Image File Execution", "Winlogon") or RegistryValueName has "Exploit-DB" or RegistryKey has "Exploit-DB" or PreviousRegistryValueData has "Exploit-DB" or RegistryValueName has "HTTP" or RegistryKey has "HTTP" or PreviousRegistryValueData has "HTTP" or RegistryValueName has "Denial" or RegistryKey has "Denial" or PreviousRegistryValueData has "Denial" or RegistryValueName has "Service" or RegistryKey has "Service" or PreviousRegistryValueData has "Service"
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
Exposure validation ideas
- Search asset inventory for affected vendor/product names and any CVE reference.
- Check internet-facing exposure through approved tools only: Shodan/Censys/GreyNoise links below are research starting points, not proof of exposure.
- Prioritise management interfaces, edge devices, identity/control-plane systems, and OT/ICS assets where relevant.
Detection / hunting ideas
- Review vendor logs for authentication failures, privilege changes, unexpected admin activity, and anomalous management-plane access.
- Search SIEM/EDR telemetry for product-specific process names, network services, and newly published indicators from primary sources.
- Monitor for scanner traffic or nuclei/metasploit module references once public exploit tooling appears.
Research links
- NVD
- CVE.org
- CISA KEV search
- GitHub code/advisory search
- GitHub repository search
- Exploit-DB search
- Packet Storm search
- AlienVault OTX search
- GreyNoise search
- Shodan search
- Censys search
Open questions
- Is there a primary vendor advisory with exact affected versions and fixed versions?
- Has CISA KEV, Shadowserver, GreyNoise, or a trusted vendor confirmed exploitation?
- Are there credible PoC repositories or only secondary reporting mentioning PoC?
- Is there underground/forum/leak-site discussion, or only public reporting?
Generated: 2026-06-18T16:20:07+00:00