CVE-2002-20001

HIGH

Balasys Dheater < 16.1.4 - Denial of Service

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2002-20001. PoCs published by c0r0n3r, itmaniac.

AI-analyzed exploit summary This repository contains a functional proof-of-concept implementation of the D(HE)at attack (CVE-2002-20001), targeting TLS/SSH services with DHE support. The code includes threading, packet crafting, and network interaction to exploit the vulnerability.

Description

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.

Exploits (2)

nomisec WORKING POC 210 stars
by c0r0n3r · poc
https://github.com/c0r0n3r/dheater

This repository contains a functional proof-of-concept implementation of the D(HE)at attack (CVE-2002-20001), targeting TLS/SSH services with DHE support. The code includes threading, packet crafting, and network interaction to exploit the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: TLS/SSH services with DHE support
No auth needed
Prerequisites: Network access to target service · DHE support in target service
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by itmaniac · poc
https://github.com/itmaniac/dheat_dos_attack_poc

This repository contains a functional Python script that simulates a D(HE)at DoS attack against SSH services by rapidly establishing multiple TCP connections to measure connection rates and potential vulnerability to CVE-2002-20001. The script uses threading to concurrently attempt connections and tracks success/failure rates to determine if the target is potentially vulnerable.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: SSH services (unspecified version)
No auth needed
Prerequisites: Network access to the target SSH service · Python 3.x environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (13)

Core 13
Core References
Third Party Advisory
https://dheatattack.com
Third Party Advisory
https://dheatattack.gitlab.io/
Product, Third Party Advisory
https://github.com/Balasys/dheater
Technical Description, Third Party Advisory
https://ieeexplore.ieee.org/document/10374117
Technical Description, Third Party Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt

Scores

CVSS v3 7.5
EPSS 0.2306
EPSS Percentile 97.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (50)
balasys/dheater
f5/big-ip_access_policy_manager 13.1.0 - 16.1.4
f5/big-ip_advanced_firewall_manager 17.5.0
f5/big-ip_advanced_firewall_manager 13.1.0 - 17.1.2
f5/big-ip_advanced_web_application_firewall 17.5.0
f5/big-ip_advanced_web_application_firewall 13.1.0 - 17.1.2
f5/big-ip_analytics 17.5.0
f5/big-ip_analytics 13.1.0 - 17.1.2
f5/big-ip_application_acceleration_manager 17.5.0
f5/big-ip_application_acceleration_manager 13.1.0 - 17.1.2
... and 40 more
Published Nov 11, 2021
Tracked Since Feb 18, 2026