IRONSMITHINTEL
HIGHCVSS7.5
|
Actively Exploited
|CVE-2023-44487|Auth: none|Reboot: required|Est. 30–60 minutes including reboot|Manual only

KB5030214: Windows Server 2019 / 2022 Cumulative Update (September 2023)

The September 2023 Patch Tuesday update addresses the HTTP/2 Rapid Reset vulnerability — a novel DDoS technique that was used to launch the largest DDoS attacks ever recorded at the time, targeting major cloud providers. Apply immediately if running IIS or any HTTP/2-capable service.

Published Sep 12, 2023 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Attackers can launch a sustained DDoS attack against any HTTP/2 endpoint using as few as a single machine, saturating server CPU and causing a complete denial of service. Windows Server running IIS with HTTP/2 enabled is directly affected. The fix limits the number of cancelled stream resets allowed per connection.

How the attack worksNo clicks needed

CVE-2023-44487 (HTTP/2 Rapid Reset) exploits a design flaw in the HTTP/2 protocol's stream cancellation mechanism. By rapidly opening and cancelling streams, attackers can overwhelm HTTP/2 servers with minimal traffic. The attack was used to generate DDoS peaks of 398 million requests per second against Google, Amazon, and Cloudflare in August 2023.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

Windows Servers running IIS
Internet-facing servers with HTTP/2 enabled
Load balancers
Running Windows Server 2019 prior to KB5030217 / Windows Server 2022 prior to KB5030214

Affected OS versions

Windows Server 2019Windows Server 2022
Fixed inKB5030214 (2022) / KB5030217 (2019)
Real-world incidentsWhat we've seen

In late August and early September 2023, Cloudflare, Google, and Amazon simultaneously detected DDoS attacks three times larger than any previously observed. All three independently discovered attackers were exploiting HTTP/2 Rapid Reset. The coordinated disclosure happened on October 10, 2023 — but the vulnerability had been exploited for weeks before patching. Organisations running Windows IIS without this patch remain exposed to volumetric DoS.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5030214

Manual remediation steps

30–60 minutes including reboot

Check Patch Status

# Windows Server 2022
Get-HotFix -Id KB5030214

# Windows Server 2019
Get-HotFix -Id KB5030217

Temporary Mitigation — Disable HTTP/2 in IIS

# Check IIS HTTP/2 status
Get-WebConfigurationProperty -Filter 'system.webServer/serverRuntime' -Name 'http2Enabled' -PSPath 'IIS:\\'

# Disable HTTP/2 if patching is delayed
Set-WebConfigurationProperty -Filter 'system.webServer/serverRuntime' -Name 'http2Enabled' -Value $false -PSPath 'IIS:\\'
iisreset

Apply the Patch

1
Download from https://catalog.update.microsoft.com
2
Install and restart

Verify

Get-HotFix -Id KB5030214  # or KB5030217
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-44487MSRC AdvisoryNVDKBKB5030214
CVEs in this update1 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5030214CVE-2023-44487Windows IIS / HTTP.sys — Windows Server 2019 / 20227.5NVD ↗