CVE-2002-20001 [High] | Denial of Service in Dheater

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	18.72%	23.06%	+4.35%
2	2026-06-07	14.68%	18.72%	+4.04%
3	2026-03-04	—	14.68%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

18.72%

23.06%

+4.35%

2026-06-07

14.68%

18.72%

+4.04%

2026-03-04

—

14.68%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	3.6	[email protected]
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:N/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	10.0	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.5

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

3.6

[email protected]

5.0

2.0

MEDIUM

AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:P): Partial availability impact.

10.0

2.9

[email protected]

OS Trackers for CVE-2002-20001

vendor	priority	summary	link
`suse`	high	CVE-2002-20001 severity important: SUSE including 50 source package names (libopenssl-1_1-devel, libopenssl-1_1-devel-1.1.1l-150400.5.14, …), 108 product×package rows across 47 product lines (SUSE CaaS Platform 4.0, SUSE CaaS Platform 4.5, … (47 product lines)): Known Not Affected 64, Fixed 44.	https://www.suse.com/security/cve/CVE-2002-20001/

Affected software / configurations for CVE-2002-20001

Vendor	Product	Version	Raw CPE
balasys	dheater	—	cpe:2.3:a:balasys:dheater:-:::::::*
siemens	scalance_w1750d_firmware	—	cpe:2.3:o:siemens:scalance_w1750d_firmware::::::::
suse	linux_enterprise_server	11	cpe:2.3:o:suse:linux_enterprise_server:11:-::::::
suse	linux_enterprise_server	12	cpe:2.3:o:suse:linux_enterprise_server:12:-::::::
suse	linux_enterprise_server	15	cpe:2.3:o:suse:linux_enterprise_server:15:::::::*
f5	big-ip_access_policy_manager	>= 13.1.0, < 16.1.4	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
f5	big-ip_access_policy_manager	>= 17.0.0, < 17.1.0	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
f5	big-ip_advanced_firewall_manager	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::
f5	big-ip_advanced_firewall_manager	17.5.0	cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.5.0:::::::*
f5	big-ip_advanced_web_application_firewall	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
f5	big-ip_advanced_web_application_firewall	17.5.0	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:17.5.0:::::::*
f5	big-ip_analytics	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_analytics::::::::
f5	big-ip_analytics	17.5.0	cpe:2.3:a:f5:big-ip_analytics:17.5.0:::::::*
f5	big-ip_application_acceleration_manager	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
f5	big-ip_application_acceleration_manager	17.5.0	cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.5.0:::::::*
f5	big-ip_application_security_manager	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_application_security_manager::::::::
f5	big-ip_application_security_manager	17.5.0	cpe:2.3:a:f5:big-ip_application_security_manager:17.5.0:::::::*
f5	big-ip_application_visibility_and_reporting	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_application_visibility_and_reporting::::::::
f5	big-ip_application_visibility_and_reporting	17.5.0	cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:17.5.0:::::::*
f5	big-ip_carrier-grade_nat	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_carrier-grade_nat::::::::
f5	big-ip_carrier-grade_nat	17.5.0	cpe:2.3:a:f5:big-ip_carrier-grade_nat:17.5.0:::::::*
f5	big-ip_ddos_hybrid_defender	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_ddos_hybrid_defender::::::::
f5	big-ip_ddos_hybrid_defender	17.5.0	cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:17.5.0:::::::*
f5	big-ip_domain_name_system	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_domain_name_system::::::::
f5	big-ip_domain_name_system	17.5.0	cpe:2.3:a:f5:big-ip_domain_name_system:17.5.0:::::::*
f5	big-ip_edge_gateway	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_edge_gateway::::::::
f5	big-ip_edge_gateway	17.5.0	cpe:2.3:a:f5:big-ip_edge_gateway:17.5.0:::::::*
f5	big-ip_fraud_protection_service	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::
f5	big-ip_fraud_protection_service	17.5.0	cpe:2.3:a:f5:big-ip_fraud_protection_service:17.5.0:::::::*
f5	big-ip_global_traffic_manager	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
f5	big-ip_global_traffic_manager	17.5.0	cpe:2.3:a:f5:big-ip_global_traffic_manager:17.5.0:::::::*
f5	big-ip_link_controller	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_link_controller::::::::
f5	big-ip_link_controller	17.5.0	cpe:2.3:a:f5:big-ip_link_controller:17.5.0:::::::*
f5	big-ip_local_traffic_manager	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
f5	big-ip_local_traffic_manager	17.5.0	cpe:2.3:a:f5:big-ip_local_traffic_manager:17.5.0:::::::*
f5	big-ip_policy_enforcement_manager	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::
f5	big-ip_policy_enforcement_manager	17.5.0	cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.5.0:::::::*
f5	big-ip_service_proxy	1.6.0	cpe:2.3:a:f5:big-ip_service_proxy:1.6.0:::::kubernetes::
f5	big-ip_ssl_orchestrator	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_ssl_orchestrator::::::::
f5	big-ip_ssl_orchestrator	17.5.0	cpe:2.3:a:f5:big-ip_ssl_orchestrator:17.5.0:::::::*
f5	big-ip_webaccelerator	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_webaccelerator::::::::
f5	big-ip_webaccelerator	17.5.0	cpe:2.3:a:f5:big-ip_webaccelerator:17.5.0:::::::*
f5	big-ip_websafe	>= 13.1.0, <= 17.1.2	cpe:2.3:a:f5:big-ip_websafe::::::::
f5	big-ip_websafe	17.5.0	cpe:2.3:a:f5:big-ip_websafe:17.5.0:::::::*
f5	big-iq_centralized_management	>= 8.0.0, <= 8.4.0	cpe:2.3:a:f5:big-iq_centralized_management::::::::
f5	big-iq_centralized_management	7.1.0	cpe:2.3:a:f5:big-iq_centralized_management:7.1.0:::::::*
f5	traffix_signaling_delivery_controller	5.1.0	cpe:2.3:a:f5:traffix_signaling_delivery_controller:5.1.0:::::::*
f5	traffix_signaling_delivery_controller	5.2.0	cpe:2.3:a:f5:traffix_signaling_delivery_controller:5.2.0:::::::*
f5	f5os-a	>= 1.3.0, <= 1.3.2	cpe:2.3:o:f5:f5os-a::::::::
f5	f5os-a	>= 1.5.0, <= 1.5.3	cpe:2.3:o:f5:f5os-a::::::::
f5	f5os-a	1.8.0	cpe:2.3:o:f5:f5os-a:1.8.0:::::::*
f5	f5os-c	>= 1.3.0, <= 1.3.2	cpe:2.3:o:f5:f5os-c::::::::
f5	f5os-c	>= 1.6.0, <= 1.6.2	cpe:2.3:o:f5:f5os-c::::::::
f5	f5os-c	1.5.0	cpe:2.3:o:f5:f5os-c:1.5.0:::::::*
f5	f5os-c	1.5.1	cpe:2.3:o:f5:f5os-c:1.5.1:::::::*
f5	f5os-c	1.8.0	cpe:2.3:o:f5:f5os-c:1.8.0:::::::*
f5	f5os-c	1.8.1	cpe:2.3:o:f5:f5os-c:1.8.1:::::::*
hpe	arubaos-cx	>= 10.06.0000, < 10.06.0180	cpe:2.3:o:hpe:arubaos-cx::::::::
hpe	arubaos-cx	>= 10.07.0000, < 10.07.0030	cpe:2.3:o:hpe:arubaos-cx::::::::
hpe	arubaos-cx	>= 10.08.0000, < 10.08.0010	cpe:2.3:o:hpe:arubaos-cx::::::::
hpe	arubaos-cx	>= 10.09.0000, < 10.09.0002	cpe:2.3:o:hpe:arubaos-cx::::::::
stormshield	stormshield_management_center	< 3.3.3	cpe:2.3:a:stormshield:stormshield_management_center::::::::
stormshield	stormshield_network_security	>= 2.7.0, < 4.3.16	cpe:2.3:a:stormshield:stormshield_network_security::::::::
stormshield	stormshield_network_security	>= 4.4.0, < 4.6.3	cpe:2.3:a:stormshield:stormshield_network_security::::::::

References for CVE-2002-20001

URL	Tags
https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf	Third Party Advisory
https://dheatattack.com	Third Party Advisory
https://dheatattack.gitlab.io/	Third Party Advisory
https://github.com/Balasys/dheater	Product Third Party Advisory
https://github.com/mozilla/ssl-config-generator/issues/162	Issue Tracking
https://gitlab.com/dheatattack/dheater	Third Party Advisory
https://ieeexplore.ieee.org/document/10374117	Technical Description Third Party Advisory
https://support.f5.com/csp/article/K83120834	Third Party Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt	Technical Description Third Party Advisory
https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/	Third Party Advisory
https://www.reddit.com/r/netsec/comments/qdoosy/server_overload_by_enforcing_dhe_key_exchange/	Issue Tracking
https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol	Exploit Technical Description
https://www.suse.com/support/kb/doc/?id=000020510	Third Party Advisory

URL

CVE-2002-20001

Public exploit references (Exploit-DB) for CVE-2002-20001

Exploit prediction scoring system (EPSS) score for CVE-2002-20001

Common vulnerability scoring system (CVSS) metrics for CVE-2002-20001

Weakness enumeration for CVE-2002-20001

OS Trackers for CVE-2002-20001

Affected software / configurations for CVE-2002-20001

References for CVE-2002-20001