Critical ASP.NET Vulnerability Allows Attacker To Bypass Security Feature Remotely
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Microsoft has disclosed a serious security flaw in ASP.NET Core that enables authenticated attackers to smuggle HTTP requests and evade critical protections. <\/p>\n
Tracked as CVE-2025-55315<\/a>, the vulnerability stems from inconsistent handling of HTTP requests, a classic issue known as HTTP request\/response smuggling.<\/p>\n Released on October 14, 2025, this flaw affects developers relying on the popular web framework for building secure applications. <\/p>\n With a CVSS v3.1 base score of 9.9 rated as \u201cCritical\u201d in impact the bug poses risks to confidentiality, integrity, and even limited availability of affected systems.<\/p>\n The vulnerability exploits a weakness classified under CWE-444, where servers misinterpret HTTP requests, allowing attackers to inject malicious payloads. <\/p>\n An authorized user with low privileges can send a crafted request over the network, bypassing front-end security controls like web application firewalls. <\/p>\n This could let them hijack other users\u2019 sessions, steal sensitive credentials, or alter server files without detection. Microsoft\u2019s analysis highlights that successful exploitation leads to high confidentiality and integrity losses (C:H, I:H), with low availability impact (A:L), potentially causing server crashes.<\/p>\n The scope changes (S:C) mean the attack ripples beyond the vulnerable component, affecting unrelated resources under different security authorities.<\/p>\n Attackers need only low privileges and no user interaction, making this a low-complexity threat accessible via the network (AV:N, AC:L, PR:L, UI:N). <\/p>\n While no public exploits exist yet Microsoft deems exploitation \u201cless likely\u201d the unproven maturity (E:U) doesn\u2019t diminish the urgency. <\/p>\n Imagine a corporate intranet where an insider crafts a smuggling request<\/a> to impersonate an admin, accessing payroll data or injecting malware Or in e-commerce sites, where smuggled requests could siphon customer info during peak traffic.<\/p>\n The bug hits ASP.NET Core in .NET 8 and later versions, as well as older .NET 2.3 setups using the Kestrel server. Microsoft confirms no evidence of active exploitation, but the confirmed confidence (RC:C) and official fix (RL:O) underscore immediate action.<\/p>\n Developers on .NET 8+ should apply the latest Microsoft Update<\/a> and restart applications. For .NET 2.3, update the Microsoft.AspNetCore.Server.Kestrel.Core package to version 2.3.6, recompile, and redeploy.<\/p>\n Self-contained apps require recompilation post-update. Broader remediation involves auditing HTTP parsing in custom middleware and enabling strict request validation.<\/p>\n This flaw revives concerns over HTTP smuggling, a tactic seen in past attacks on cloud services. As remote work expands attack surfaces, organizations must prioritize patching.<\/p>\n Microsoft urges scanning for vulnerable deployments and monitoring logs for anomalous requests. With the framework powering millions of web apps, unpatched systems risk data breaches<\/a> or compliance violations.<\/p>\n Security teams should integrate this into vulnerability management workflows, especially given the framework\u2019s role in enterprise stacks.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Critical ASP.NET Vulnerability Allows Attacker To Bypass Security Feature Remotely<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nExploitation Risks In Real-World Scenarios<\/strong><\/h2>\n