Microsoft ASP.NET Core
Moderate fix3 remedies
cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 6.0.0, <= 6.0.36
- >= 8.0.0, <= 8.0.13
- >= 9.0.0, <= 9.0.2
Microsoft ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability
Vulnerability
Patched
A vulnerability exists in End of Life (EOL) versions of ASP.NET Core and Microsoft Visual Studio 2022, allowing unauthorized attackers to elevate privileges over the network. This issue arises from weak authentication, where the authentication mechanism fails to adequately verify user identities, enabling attackers to manipulate user sessions.
Impact
Exploitation of this vulnerability could allow an attacker to hijack an authenticated session and assume the identity of another user, gaining the privileges associated with that user.
Reproduction
To reproduce this vulnerability, set up an ASP.NET Core Identity project and create two user accounts. Authenticate as User A, then call the RefreshSignInAsync method with User B as the parameter. This will refresh the session to User B, exploiting the weak authentication flaw.
Remediation
Users can upgrade to ASP.NET Core Runtime versions 8.0.14 or 9.0.3, or to Microsoft.AspNetCore.Identity version 2.3.1. For applications deployed as self-contained, recompile and redeploy after upgrading. Additionally, users can leverage HeroDevs for post-EOL security support.
Added: Jul 8, 2025, 5:15 PM
Updated: Jul 8, 2025, 5:15 PM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
5.0exploitability
9.7remediation
7.7relevance
0.2threat
6.4urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.