#VU105568 Improper Authentication in ASP.NET Core and Visual Studio - CVE-2025-24070

Cybersecurity Help s.r.o.

Published: 2025-03-11

Vulnerability identifier: #VU105568

Vulnerability risk: High

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-24070

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ASP.NET Core
Universal components / Libraries / Software for developers
Visual Studio
Universal components / Libraries / Software for developers

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to weak authentication in ASP.NET Core and Visual Studio. A remote attacker can bypass authentication process and gain the privileges of the compromised user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ASP.NET Core: 8.0 - 8.0.13

Visual Studio: 17.1.0 17.1.32210.238 - 17.10.11 17.10.11, 17.8.0 17.8.34309.116 - 17.8.18 17.8.18

External links
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24070

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 8 update for .NET 8.0

Red Hat Enterprise Linux 9 update for .NET 8.0

Red Hat Enterprise Linux 9 update for .NET 9.0

Red Hat Enterprise Linux 8 update for .NET 9.0

Red Hat Enterprise Linux 9 update for .NET 8.0

Ubuntu update for dotnet8

Improper Authentication in Microsoft ASP.NET Core and Visual Studio