Tracked as CVE-2025-55315, the vulnerability stems from inconsistent handling of HTTP requests, a classic issue known as HTTP request/response smuggling.
Released on October 14, 2025, this flaw affects developers relying on the popular web framework for building secure applications.
With a CVSS v3.1 base score of 9.9 rated as “Critical” in impact the bug poses risks to confidentiality, integrity, and even limited availability of affected systems.
The vulnerability exploits a weakness classified under CWE-444, where servers misinterpret HTTP requests, allowing attackers to inject malicious payloads.
An authorized user with low privileges can send a crafted request over the network, bypassing front-end security controls like web application firewalls.
This could let them hijack other users’ sessions, steal sensitive credentials, or alter server files without detection. Microsoft’s analysis highlights that successful exploitation leads to high confidentiality and integrity losses (C:H, I:H), with low availability impact (A:L), potentially causing server crashes.
The scope changes (S:C) mean the attack ripples beyond the vulnerable component, affecting unrelated resources under different security authorities.
Attackers need only low privileges and no user interaction, making this a low-complexity threat accessible via the network (AV:N, AC:L, PR:L, UI:N).
While no public exploits exist yet Microsoft deems exploitation “less likely” the unproven maturity (E:U) doesn’t diminish the urgency.
Imagine a corporate intranet where an insider crafts a smuggling request to impersonate an admin, accessing payroll data or injecting malware Or in e-commerce sites, where smuggled requests could siphon customer info during peak traffic.
The bug hits ASP.NET Core in .NET 8 and later versions, as well as older .NET 2.3 setups using the Kestrel server. Microsoft confirms no evidence of active exploitation, but the confirmed confidence (RC:C) and official fix (RL:O) underscore immediate action.
Developers on .NET 8+ should apply the latest Microsoft Update and restart applications. For .NET 2.3, update the Microsoft.AspNetCore.Server.Kestrel.Core package to version 2.3.6, recompile, and redeploy.
Self-contained apps require recompilation post-update. Broader remediation involves auditing HTTP parsing in custom middleware and enabling strict request validation.
This flaw revives concerns over HTTP smuggling, a tactic seen in past attacks on cloud services. As remote work expands attack surfaces, organizations must prioritize patching.
Microsoft urges scanning for vulnerable deployments and monitoring logs for anomalous requests. With the framework powering millions of web apps, unpatched systems risk data breaches or compliance violations.
Security teams should integrate this into vulnerability management workflows, especially given the framework’s role in enterprise stacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical ASP.NET Vulnerability Allows Attacker To Bypass Security Feature Remotely appeared first on Cyber Security News.
Mozilla has released Firefox 150, addressing 41 security vulnerabilities, including multiple high-severity flaws that could…
A critical security vulnerability, tracked as CVE-2026-22752, has been discovered in Spring Security Authorization Server,…
Cybersecurity organization SEAL (Security Alliance) has issued a critical warning about a sustained and escalating…
Atlassian has disclosed a critical security vulnerability in Bamboo Data Center and Server that could…
Tension: We’re kinder to strangers than family, not from coldness but from unhealed wounds. Noise:…
Tension: The wellness industry’s explosive growth coincides with declining collective wellbeing, revealing a profitable paradox.…
This website uses cookies.