CyberHappenings logo
☰

MadeYouReset vulnerability in HTTP/2 implementations enables large-scale DoS attacks

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

A new attack technique called MadeYouReset affects multiple HTTP/2 implementations, enabling large-scale denial-of-service (DoS) attacks. This vulnerability bypasses the typical server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection, allowing attackers to send thousands of requests and overwhelm servers. The issue impacts several products, including Apache Tomcat, F5 BIG-IP, and Netty. The MadeYouReset attack exploits the RST_STREAM frame, which is used for both client-initiated cancellation and signaling stream errors. By sending carefully crafted frames, attackers can trigger protocol violations and prompt the server to reset the stream, leading to resource exhaustion and potential crashes. The MadeYouReset vulnerability is tracked as CVE-2025-8671, with varying severity ratings across different implementations. The vulnerability affects up to one-third of all websites globally, and researchers have coordinated with over 100 vendors to address the issue.

Timeline

  1. 14.08.2025 18:20 πŸ“° 2 articles

    MadeYouReset vulnerability in HTTP/2 implementations enables large-scale DoS attacks

    A new attack technique called MadeYouReset has been discovered, affecting multiple HTTP/2 implementations. This vulnerability allows attackers to bypass the typical server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection, enabling large-scale DoS attacks. The issue impacts several products, including Apache Tomcat, F5 BIG-IP, and Netty. The attack exploits the RST_STREAM frame to trigger protocol violations and reset streams, leading to resource exhaustion and potential crashes. The MadeYouReset technique was discovered by researchers from Tel Aviv University. The vulnerability is tracked as CVE-2025-8671, with varying severity ratings across different implementations. The vulnerability affects up to one-third of all websites globally, and researchers have coordinated with over 100 vendors to address the issue.

    Show sources

Information Snippets

Similar Happenings

Cloudflare mitigates 11.5 Tbps UDP flood DDoS attack

Cloudflare recently mitigated the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The attack was a UDP flood primarily originating from a combination of several IoT and cloud providers, including Google Cloud. It lasted approximately 35 seconds. Cloudflare has seen a significant increase in DDoS attacks, with a 198% quarter-over-quarter increase and a 358% year-over-year jump in 2024. The company mitigated 21.3 million DDoS attacks targeting its customers and 6.6 million attacks targeting its own infrastructure during an 18-day multi-vector campaign in 2024. The most significant spike was seen by network-layer attacks, which saw a 509% year-over-year increase since the start of 2025. The attack was part of a series of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The attack was conducted by sending requests from botnets that had infected devices with malware. The RapperBot kill chain targets network video recorders (NVRs) and other IoT devices for DDoS attacks. The malware exploits security flaws in NVRs to gain initial access and download the payload, using a path traversal flaw to leak valid administrator credentials and push a fake firmware update. The malware establishes an encrypted connection to a C2 domain to receive commands for launching DDoS attacks and can scan the internet for open ports to propagate the infection. The attackers' methodology involves scanning the internet for old edge devices and brute-forcing or exploiting them to execute the botnet malware. Google's abuse defenses detected the attack, and they followed proper protocol in customer notification and response. Cloudflare has been automatically mitigating hundreds of hyper-volumetric DDoS attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. Volumetric attacks typically aim to overwhelm servers or networks, causing them to slow or shut down completely. The attack's short duration of 35 seconds highlights that size alone is not the most critical metric for evaluating DDoS attacks. The complexity and persistence of an attack, along with its impact on users, are more important metrics for DDoS defense. A DDoS mitigation service provider in Europe was targeted in a 1.5 Bpps denial-of-service attack. The attack originated from thousands of IoTs and MikroTik routers and was mitigated by FastNetMon. The attack was primarily a UDP flood launched from compromised customer-premises equipment (CPE), including IoT devices and routers, across more than 11,000 unique networks worldwide. The attack was detected in real-time, and mitigation action was taken using the customer's DDoS scrubbing facility. FastNetMon's founder, Pavel Odintsov, called for ISP-level intervention to stop the weaponization of compromised consumer hardware. The attack was one of the largest packet-rate floods publicly disclosed.

Exploit chain in Sitecore Experience Platform enables remote code execution

Three new vulnerabilities in the Sitecore Experience Platform can be chained to achieve remote code execution (RCE). The flaws include HTML cache poisoning, RCE through insecure deserialization, and information disclosure via the ItemService API. Patches for these vulnerabilities were released in June and July 2025. The exploit chain leverages a combination of pre-authentication and post-authentication vulnerabilities to compromise fully-patched instances of the platform. Additionally, a zero-day vulnerability (CVE-2025-53690) has been exploited by threat actors to deliver malware, including WeepSteel, and perform extensive reconnaissance and lateral movement. The flaw is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2025 Sitecore guides. The attackers target the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field, and achieve RCE under the IIS NETWORK SERVICE account by leveraging CVE-2025-53690. The malicious payload dropped by the attackers is WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information. The attack observed by Mandiant stemmed from a documentation issue involving sample machine keys provided for customer use. Sitecore advised customers to rotate and secure ASP.NET machine keys, encrypt elements in web.config files, and restrict access to administrators only. CISA has ordered FCEB agencies to update their Sitecore instances by September 25, 2025.

Active Exploitation of FreePBX Zero-Day Vulnerability CVE-2025-57819

A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, is actively exploited in the wild. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. The vulnerability affects versions 15, 16, and 17 of FreePBX. Exploitation began on or before August 21, 2025, targeting systems with inadequate IP filtering or access control lists (ACLs). Users are advised to upgrade to the latest supported versions and restrict public access to the administrator control panel. Sangoma has released patches for the vulnerability and provided indicators-of-compromise (IOCs) to help administrators detect exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply fixes by September 19, 2025.

Citrix NetScaler ADC and Gateway vulnerabilities actively exploited

Citrix has released patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway. One of these vulnerabilities, CVE-2025-7775, is a zero-day flaw actively exploited in the wild. The flaws affect various configurations and can lead to remote code execution, denial-of-service, or improper access control. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate the flaw within 48 hours. The vulnerabilities were discovered by security researchers Jimi Sebree, Jonathan Hetzer, and FranΓ§ois HΓ€mmerli. Nearly 20% of NetScaler assets identified are on unsupported, end-of-life versions, primarily in North America and the APAC region.

Clickjacking flaws in multiple password managers

Six major password managers have unpatched clickjacking vulnerabilities that could allow attackers to steal account credentials, 2FA codes, and credit card details. The flaws were demonstrated at DEF CON 33 by independent researcher Marek TΓ³th. Affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. The attack exploits browser-based autofill features, overlaying invisible HTML elements to trick users into leaking sensitive information. The vulnerabilities were disclosed to vendors in April 2025, with public disclosure planned for August 2025. Some vendors have acknowledged the issues but downplayed their severity. Bitwarden has released a patch, version 2025.8.0, to address the vulnerabilities. Users are advised to disable autofill and use copy/paste until fixes are available.