Earlier this week, Microsoft patched a vulnerability that was flagged with the “highest ever” severity score obtained by an ASP.NET Core security flaw.
This HTTP request smuggling bug (CVE-2025-55315) was discovered within the Kestrel ASP.NET Core net server, and it allows authenticated attackers to smuggle one other HTTP request to hijack different customers’ credentials or bypass front-end security controls.
“An attacker who efficiently exploited this vulnerability might view delicate data reminiscent of different consumer’s credentials (Confidentiality) and make adjustments to file contents on the goal server (Integrity), and so they would possibly have the ability to power a crash throughout the server (Availability),” Microsoft mentioned in a Tuesday advisory.
To make sure that their ASP.NET Core purposes are secured towards potential assaults, Microsoft advises builders and customers to take the next measures:
- If operating .NET 8 or later, set up the .NET replace from Microsoft Replace, then restart your utility or reboot the machine.
- If operating .NET 2.3, replace the bundle reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile the appliance, and redeploy.
- If operating a self-contained/single-file utility, set up the .NET replace, recompile, and redeploy.
To deal with the vulnerability, Microsoft has launched security updates for Microsoft Visible Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, in addition to the Microsoft.AspNetCore.Server.Kestrel.Core bundle for ASP.NET Core 2.x apps.
As .NET security technical program supervisor Barry Dorrans defined, the affect of CVE-2025-55315 assaults would rely on the focused ASP.NET utility, and susccesful exploitation might permit the risk actors to log in as a special consumer (for privilege escalation), make an inside request (in server-side request forgery assaults), bypass cross-site request forgery (CSRF) checks, or carry out injection assaults.
“However we do not know what’s potential as a result of it is depending on how you have written your app. Thus, we rating with the worst potential case in thoughts, a security function bypass which adjustments scope,” Dorrans mentioned.
“Is that probably? No, most likely not except your utility code is doing one thing odd and skips a bunch of checks that it should be making on each request. Nevertheless please go replace.”
Throughout this month’s Patch Tuesday, Microsoft launched security updates for 172 flaws, together with eight “Crucial” vulnerabilities and 6 zero-day bugs (three of which have been exploited in assaults).
This week, Microsoft additionally printed KB5066791, a cumulative replace that features the ultimate Home windows 10 security updates because the working system reaches the tip of its assist lifecycle.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration developments.
