Three stories matter for defenders this morning. A cross-vendor HTTP/2 denial-of-service technique works against default configurations on every major web server stack. Acer disclosed two maximum-severity zero-days in its consumer mesh routers — no patches yet. And a public proof-of-concept for a VS Code zero-day exfiltrates GitHub personal access tokens with a single click. Each one represents a different attack surface — infrastructure, remote-worker perimeter, and developer supply chain — and each one demands a specific response today.

In the News

HTTP/2 Bomb DoS Hits Default Configs on NGINX, Apache, IIS, Envoy, and Cloudflare

A newly disclosed denial-of-service technique called “HTTP/2 Bomb” exploits the stream multiplexing mechanism in HTTP/2 to overwhelm web servers with minimal attacker bandwidth. The technique works against default configurations — no special setup, no authentication, no vulnerability beyond the protocol’s own design assumptions. NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare-proxied origins have all been confirmed vulnerable.

The mechanism is straightforward: HTTP/2 allows multiplexing hundreds of streams over a single TCP connection. The HTTP/2 Bomb sends a carefully crafted burst of streams and headers that forces the server to allocate disproportionate memory and CPU relative to the attacker’s bandwidth cost. The result is resource exhaustion in seconds, not minutes. This is not a volumetric DDoS that upstream scrubbing can absorb — it operates at the application layer, inside the TLS session, and targets the web server process directly.

The operational impact is significant because most production web servers have never tuned their HTTP/2 stream limits. Organizations that deployed HTTP/2 for performance — which is now the majority of customer-facing web infrastructure — inherited this exposure the day they enabled the protocol. Legacy WAF deployments that inspect at the HTTP/1.1 layer will not catch this, because the malicious behavior exists entirely within the HTTP/2 framing layer.

What defenders should do: Immediately review HTTP/2 stream concurrency limits on all internet-facing web servers. For NGINX, set http2_max_concurrent_streams to a value appropriate for your application (the default of 128 is too high for most deployments). For Apache, tune H2MaxSessionStreams. For Envoy, configure max_concurrent_streams in the HTTP/2 protocol options. Deploy WAF rules that can inspect HTTP/2 frames, not just HTTP/1.1 request/response bodies. If your WAF cannot inspect HTTP/2 at the protocol level, you have a coverage gap that matters today.

Acer Wave 7 Routers Ship with Two CVSS 10.0 Zero-Days

Acer disclosed two maximum-severity vulnerabilities — both rated CVSS 10.0 — in its Wave 7 consumer mesh router line. Both flaws allow unauthenticated remote code execution against internet-facing devices. No patches are available; Acer states firmware updates are in development.

This is a consumer device, not an enterprise product, which means it will not appear in corporate asset inventories. It will, however, sit upstream of corporate VPN sessions, home-office endpoints, and BYOD devices. The remote-work attack surface that expanded during the pandemic never contracted — it just stopped getting attention. A compromised home router gives an attacker a man-in-the-middle position on every connection the remote worker makes, including VPN tunnels that rely on the router’s DNS resolution.

What defenders should do: If your organization supports remote or hybrid workers, this is a reminder that endpoint posture checks must include network-level context. Enforce ZTNA policies that do not implicitly trust the home network. For organizations with asset discovery capabilities, consider scanning for Acer Wave 7 devices on employee networks — or at minimum, communicating the advisory to remote workers and recommending they check for firmware updates when available.

VS Code Zero-Day Steals GitHub Tokens via One-Click Exploit

A proof-of-concept exploit for a zero-day vulnerability in Visual Studio Code demonstrates exfiltration of GitHub personal access tokens through a single click on a crafted URI link. The vulnerability abuses VS Code’s URI handler to invoke extension functionality without user confirmation, allowing an attacker to trigger a malicious action that reads stored GitHub credentials and transmits them to an external server.

The blast radius is enormous. VS Code is the dominant IDE across the industry, and GitHub integration — including stored PATs — is near-universal in professional development workflows. A stolen PAT gives an attacker commit access to every repository the token is scoped to. This is supply-chain compromise at the individual developer level: no build pipeline poisoning required, no compromised dependency — just one click and the attacker has write access to production code.

The PoC is public, which means exploitation is trivial for any motivated threat actor. Microsoft has not released a patch. The immediate attack vector is phishing: a crafted link in an email, Slack message, or GitHub issue comment that triggers the URI handler when clicked.

What defenders should do: Audit GitHub PAT scopes across your development organization — tokens should follow least privilege, with repository-scoped tokens preferred over org-wide tokens. Enable GitHub’s secret scanning and push protection to detect committed credentials. Deploy EDR on developer workstations with behavioral rules that flag VS Code spawning unexpected child processes or making outbound connections to non-GitHub domains. Rotate any PATs that may have been exposed. Consider disabling VS Code’s URI handler ("security.allowedUriHandlerExtensions": []) as a compensating control until a patch is available.

Defender Action Items

  • HTTP/2 Bomb: Reduce http2_max_concurrent_streams on all internet-facing NGINX, Apache, and Envoy instances. Verify WAF HTTP/2 frame-level inspection capability. Test with the published PoC against staging environments.
  • Acer Wave 7: Communicate the advisory to remote workers. Enforce endpoint posture and ZTNA policies that do not trust the home network implicitly. Monitor for firmware update availability.
  • VS Code token theft: Audit and rotate GitHub PATs. Scope tokens to minimum required permissions. Enable GitHub secret scanning and push protection. Deploy EDR behavioral rules for anomalous VS Code process chains. Consider disabling the VS Code URI handler.
  • CVE-2026-8206 (Kirki WordPress): Update or deactivate the Kirki plugin immediately. Deploy WAF rules blocking unauthenticated admin-creation requests.
  • CVE-2025-48595 (Android): Push the June 2026 Android security patch via MDM and verify fleet compliance within 48 hours.
  • CVE-2026-0251 (GlobalProtect): Schedule GlobalProtect client updates, prioritizing endpoints with local admin users.

Detection Queries

The VS Code zero-day exploits URI handler invocations that spawn unexpected network connections. The following Splunk SPL query detects VS Code child processes initiating outbound HTTPS connections to destinations outside GitHub’s known IP ranges — a high-fidelity signal for token exfiltration attempts.

index=edr sourcetype=process_creation
parent_process_name="code.exe" OR parent_process_name="code"
| search dest_port=443
| where NOT cidrmatch("140.82.112.0/20", dest_ip)
  AND NOT cidrmatch("143.55.64.0/20", dest_ip)
  AND NOT cidrmatch("192.30.252.0/22", dest_ip)
| stats count by host, user, process_name, dest_ip, dest_port, _time
| where count > 0
| sort -_time

This query filters out connections to GitHub’s published IP ranges (verify current ranges via the GitHub meta API). Any VS Code child process connecting to an IP outside those ranges over HTTPS warrants investigation — especially if the destination is a cloud VPS or a domain registered in the last 30 days. False positive rate is low in environments where developers do not routinely use VS Code extensions that phone home to non-GitHub infrastructure.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.