CVE-2025-2813 Overview
CVE-2025-2813 is a Denial of Service (DoS) vulnerability that allows an unauthenticated remote attacker to disrupt service availability. The attacker triggers the condition by sending a large volume of requests to the HTTP service listening on TCP port 80. The flaw is classified under [CWE-770] Allocation of Resources Without Limits or Throttling, indicating that the affected service does not enforce request rate or resource consumption limits. The advisory was coordinated through CERT@VDE under reference VDE-2025-029, which typically covers industrial and operational technology vendors.
Critical Impact
An unauthenticated network attacker can render the HTTP service unreachable, impacting availability of the affected device and any dependent operations.
Affected Products
- Refer to CERT@VDE Security Advisory VDE-2025-029 for the authoritative list of affected products and versions.
Discovery Timeline
- 2025-07-31 - CVE-2025-2813 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-2813
Vulnerability Analysis
The vulnerability is a network-reachable resource exhaustion flaw in the embedded HTTP service. An attacker sends a large number of HTTP requests to TCP port 80, and the service fails to throttle or constrain processing. The result is exhaustion of compute, memory, or connection resources, which prevents legitimate clients from receiving responses. The flaw requires no authentication, no user interaction, and only network reachability to the target. Confidentiality and integrity are unaffected, but availability is fully compromised while the flood continues. The EPSS probability is 0.156% at the 35.89 percentile, indicating no observed mass exploitation activity at this time.
Root Cause
The root cause is the absence of rate limiting, connection caps, or request throttling on the HTTP listener, consistent with [CWE-770]. The service accepts and processes inbound HTTP requests faster than it can release the underlying resources. Embedded and industrial devices frequently lack hardened request schedulers, which makes them susceptible to commodity flood techniques.
Attack Vector
The attack vector is network-based and requires only the ability to reach TCP port 80 on the target. An attacker can use widely available HTTP load-generation tools to issue concurrent GET or POST requests until the service becomes unresponsive. No authentication, credentials, or prior reconnaissance beyond port discovery is required. See the CERT@VDE Security Advisory VDE-2025-029 for vendor-specific technical detail.
Detection Methods for CVE-2025-2813
Indicators of Compromise
- Sudden spike in inbound TCP connections to port 80 from one or a small set of source IP addresses.
- HTTP server logs showing high request rates without a corresponding business workflow.
- Device telemetry indicating CPU or memory saturation correlated with HTTP traffic surges.
- Loss of management or operator console access to the affected device while ICMP remains responsive.
Detection Strategies
- Deploy network flow monitoring (NetFlow, IPFIX, or sFlow) to baseline normal HTTP request rates and alert on deviations.
- Use an intrusion detection system signature to flag HTTP request rates exceeding a defined threshold per source per minute.
- Correlate availability monitoring alerts for the affected service with concurrent inbound traffic volume.
Monitoring Recommendations
- Monitor TCP/80 connection state tables on perimeter firewalls for abnormal half-open or established connection counts.
- Track HTTP 5xx response rates and request queue depth on the embedded service where exposed via SNMP or syslog.
- Forward HTTP access logs and device health metrics to a centralized log platform for cross-source correlation.
How to Mitigate CVE-2025-2813
Immediate Actions Required
- Restrict network access to TCP port 80 on affected devices to trusted management subnets only.
- Place affected devices behind a reverse proxy or firewall capable of enforcing per-source request rate limits.
- Review the CERT@VDE Security Advisory VDE-2025-029 for vendor patch availability and apply updates once published.
Patch Information
Patch availability and fixed versions are tracked in the CERT@VDE Security Advisory VDE-2025-029. Apply vendor-supplied firmware updates as soon as they are released and verify the fix in a test environment before production deployment.
Workarounds
- Disable the HTTP service on port 80 if it is not required for operational use.
- Enforce firewall ACLs that allow port 80 only from specific operator workstations.
- Deploy a network-layer rate limiter or HTTP-aware load balancer in front of the affected device to drop excessive requests.
- Segment affected devices onto an isolated VLAN with strict ingress filtering from corporate or untrusted networks.
# Example: iptables rate limit for inbound HTTP to mitigate flood traffic
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW \
-m limit --limit 30/minute --limit-burst 50 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
