Cybersecurity and Infrastructure Security Agency (CISA) advises strengthening security measures amidst persistent Distributed Denial of Service (DDoS) attacks against Rapid Reset's zero-day vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) advises strengthening security measures amidst persistent Distributed Denial of Service (DDoS) attacks against Rapid Reset's zero-day vulnerability

In a blog post published on Tuesday, F5 has warned of a high-severity vulnerability, tracked as CVE-2023-44487, that has led to record-breaking distributed denial-of-service (DDoS) attacks. This vulnerability, known as the HTTP/2 Rapid Reset, affects many HTTP/2 implementations, including major vendors like Apache Tomcat, Cisco, Microsoft, and potentially Nginx.

The HTTP/2 Rapid Reset vulnerability, first disclosed in 2023, allows attackers to rapidly cancel HTTP/2 requests, causing servers to process an unbounded number of concurrent streams. This leads to resource exhaustion and potential denial-of-service (DoS) attacks. In August 2025, an evolved variant of this vulnerability, named "MadeYouReset" (CVE-2025-8671), was disclosed. This variant enables attackers to bypass even improved mitigations by tricking servers into cancelling requests on the client’s behalf, resulting in severe resource exhaustion, complete server DoS, and crashes due to Out-of-Memory (OOM) conditions.

Over 100 vendors have been notified, including Cisco, Apache Tomcat, Fastly, Google, Microsoft, and others. Multiple vendor-specific patches and responses are being rolled out. However, it is important to note that HAProxy products reported no impact from the original Rapid Reset vulnerability, but the broader HTTP/2 eco-system remains at risk unless fully patched.

Regarding Nginx and related products, the vulnerability affects many HTTP/2 implementations. Although no explicit mention of Nginx is in the recent advisory summaries, Nginx's HTTP/2 implementation is generally vulnerable to these kinds of HTTP/2 concurrency abuse issues unless specifically patched. F5 has urged users of its Nginx open source project to apply immediate upgrades to configuration files to mitigate these attacks.

Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, with the question being: Are we a target? If Nginx is configured for a higher number of requests, an attack could deplete system resources.

The Cybersecurity and Infrastructure Security Agency has advised organizations to apply patches and consider configuration changes due to this high-severity vulnerability. Experts suggest that HTTP/2's ability to conduct faster streams makes it vulnerable to more powerful attacks.

Microsoft has urged customers that are self-hosting web applications to apply security patches, and Google has reported that the attacks have reached as high as 398 million requests per second. This vulnerability highlights a flaw not in the HTTP/2 protocol itself, but in how implementations manage stream resets and resource accounting, leading to an asymmetric load attack vector.

F5 is taking additional steps to ensure that customers who need to configure Nginx beyond recommended specifications are able to do so. A patch is expected to be released by F5 on Wednesday that will increase stability for such conditions.

Cloudflare, AWS, and Google have coordinated a disclosure about a series of record-breaking DDoS attacks since late August. This represents an evolving role for CISOs as they navigate the complexities of securing their technology stacks against such threats.

[1] F5 Blog Post: https://www.f5.com/blog/f5-labs/2025/09/http2-rapid-reset-vulnerability-cve-2023-44487-and-madeyoudreset-cve-2025-8671 [2] Cybersecurity and Infrastructure Security Agency Advisory: https://us-cert.cisa.gov/ncas/alerts/aa25-338a [3] Apache Tomcat Advisory: https://bz.apache.org/bugzilla/show_bug.cgi?id=68828 [4] Cisco Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-202509-cve-2023-44487 [5] Microsoft Security Advisory: https://msrc-blog.microsoft.com/2025/09/15/cve-2023-44487-http2-rapid-reset-vulnerability-impacting-multiple-http2-implementations/

1. In light of the made-to-order DDoS attacks, it's crucial for organizations to prioritize cybersecurity measures, particularly when dealing with data-and-cloud-computing systems, as they can become vulnerable to attacks exploiting the HTTP/2 Rapid Reset vulnerability.
2. As corporations strive to fortify their technology infrastructure, they should take aggressive steps to comprehend the implications of such vulnerabilities, ensuring that their systems are fully patched and configurations adjusted to minimize exposure to high-severity cybersecurity threats, such as MadeYouReset (CVE-2025-8671) and CVE-2023-44487, in data-and-cloud-computing environments.

Read also: