CISA Adds Microsoft .NET Vulnerability to KEV Catalog Due to Active Exploitation

Microsoft .NET Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched security flaw in Microsoft’s .NET and Visual Studio products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Tracked as CVE-2023-38180 (CVSS score: 7.5), the high-severity flaw relates to a case denial-of-service (DoS) impacting .NET and Visual Studio.

It was addressed by Microsoft as part of its August 2023 Patch Tuesday updates shipped earlier this week, tagging it with an “Exploitation More Likely” assessment.

While exact details surrounding the nature of exploitation are unclear, the Windows maker has acknowledged the existence of a proof-of-concept (PoC) in its advisory. It also said that attacks leveraging the flaw can be pulled off without any additional privileges or user interaction.

“Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems,” the company said. “The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.”

Affected versions of the software include ASP.NET Core 2.1, .NET 6.0, .NET 7.0, Microsoft Visual Studio 2022 version 17.2, Microsoft Visual Studio 2022 version 17.4, and Microsoft Visual Studio 2022 version 17.6.

To mitigate potential risks, CISA has recommended Federal Civilian Executive Branch (FCEB) agencies to apply vendor-provided fixes for the vulnerability by August 30, 2023.



Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.