CVE-2025-55315: Critical 9.9/10 Flaw in ASP.NET Core Enables Unauthenticated Attack

Microsoft has confirmed the remediation of a critical security vulnerability in its ASP.NET Core product, identified as CVE-2025-55315, with an exceptionally high severity score of 9.9 out of 10. The flaw primarily affects the Kestrel ASP.NET Core web server, enabling unauthenticated attackers to smuggle secondary HTTP requests within the original one.

Exploiting this vulnerability could allow malicious actors to bypass multiple layers of security controls, potentially exposing sensitive user credentials, compromising the integrity of files on the target server, or even triggering system crashes.

To mitigate the issue, Microsoft has released security updates across multiple product versions, urging developers to recompile and redeploy their applications. Failure to do so may leave systems vulnerable to exploitation, posing a serious security risk for organizations relying on ASP.NET Core.

Specifically, users running .NET 8 or later should install the latest .NET update via Windows Update. Those using .NET 2.3 must update the Microsoft.AspNet.Server.Kestrel.Core package to version 2.3.6, followed by recompilation and redeployment.

For standalone or single-file applications, developers must also install the .NET update and rebuild their software. Other related products—such as Visual Studio 2022 and ASP.NET Core versions 2.3, 8.0, and 9.0—have their respective security patches, which users and developers should apply without delay.

According to Microsoft’s .NET Security Program Manager, while the vulnerability’s score appears severe, its real-world impact largely depends on how the affected framework is implemented. If downstream applications handle confidential or sensitive data, the risk escalates significantly.

Microsoft emphasizes that its rating reflects the worst-case scenario, serving as a proactive warning to developers and system administrators to apply the updates promptly and prevent potential exploitation that could compromise data confidentiality and system integrity.

Related Posts:

• Publicly Disclosed ASP.NET Machine Keys Used in Code Injection Attacks
• ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect
• Gold Melody’s Stealthy Campaign: Leaked ASP.NET Machine Keys Fuel In-Memory RCE & Privilege Escalation
• CVE-2025-53690: Mandiant and Sitecore Warn of Active Exploitation in ASP.NET Machine Key Configurations