Earlier this week, Microsoft fixed a vulnerability that was marked with the “highest” severity rating ever received by an ASP.NET Core security flaw.
This HTTP request smuggling bug (CVE-2025-55315) Kestrel was found in the ASP.NET Core web server, and it enables authenticated attackers to hijack other users’ credentials or smuggle another HTTP request to bypass front-end security controls.
“An attacker who successfully exploited this vulnerability could view sensitive information such as another user’s credentials (confidentiality) and make changes to file contents on the target server (integrity), and they may be able to force a crash within the server (availability),” Microsoft said in a statement. tuesday advice,
To ensure that their ASP.NET Core applications are protected from potential attacks, Microsoft recommends developers and users take the following measures:
- If running .NET 8 or later, install the .NET update from Microsoft Update, then restart your application or restart the machine.
- If running .NET 2.3, update the package reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile the application, and redeploy.
- If running a self-contained/single-file application, install the .NET update, recompile, and re-deploy.
To address the vulnerability, Microsoft has released a security update Microsoft.AspNetCore.Server.Kestrel.Core package for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as ASP.NET Core 2.x apps.
As .NET Security Technical Program Manager Barry Dorrans explained, the impact of CVE-2025-55315 attacks will depend on the targeted ASP.NET application, and successful exploitation could allow threat actors to log in as a different user (for privilege escalation), make internal requests (in server-side request forgery attacks), cross-site request forgery (CSRF) detection, This may allow bypassing or injection attacks.
“But we don’t know what’s possible because it depends on how you wrote your app. Thus, we score taking into account the worst possible case, a security feature bypass that changes the scope,” Dorrans said,
“Is that a possibility? No, probably not unless your application code is doing something strange and skipping several checks that it should do on every request. Still please update.”
During this month’s Patch Tuesday, Microsoft released security updates for 172 vulnerabilities, including eight “critical” vulnerabilities and six zero-day bugs (three of which were exploited in attacks).
This week, Microsoft also published KB5066791, a cumulative update that contains the final Windows 10 security updates as the operating system reaches the end of its support lifecycle.
Passwords were cracked in 46% of environments, almost double from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at prevention, detection, and more findings on data intrusion trends.
