Impact of CVE-2025-24070 affecting Microsoft .NET Core vulnerability on Compliance Accelerator and Discovery Accelerator
Article ID: 100074332
Updated On:
Description
CVE-2025-24070: ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability
Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.
https://nvd.nist.gov/vuln/detail/cve-2025-24070
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24070
Affected Versions
According to Microsoft's advisory, the following ASP.NET Core versions are affected:
- ASP.NET Core 9.0.0 to 9.0.2
- ASP.NET Core 8.0.0 to 8.0.13
- ASP.NET Core 2.3.0
CVSS 3.x Severity and Vector Strings
- CNA: Microsoft Corporation
- Base Score: 7.0 HIGH
- Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Impact
The vulnerability resides in the RefreshSignInAsync method of ASP.NET Core's authentication mechanism. An attacker could exploit this flaw by invoking RefreshSignInAsync with a different user parameter than the one currently authenticated. Due to insufficient validation, ASP.NET Core accepts this request, allowing the attacker to impersonate another user's account and elevate privileges. Compliance Accelerator and Discovery Accelerator are not impacted by this vulnerability, as they do not use the approach/method mentioned in the vulnerability statement.
Mitigation
As Compliance Accelerator and Discovery Accelerator are not affected, no mitigation or resolution is required.
If it is required to upgrade ASP.NET Core, the following versions are not affected by this vulnerability:
- Version 9.0.3 or later.
- Version 8.0.14 or later.
- Version 2.3.1 or later.
NOTE - At the time of writing, ASP.NET 9.x is not supported by Compliance Accelerator and Discovery Accelerator. Please see the Enterprise Vault Compatibility Guide for the latest compatibility information.
Questions
For questions or problems regarding these vulnerabilities please contact Technical Support.
Environment
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC AND/OR ARCTERA US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Issue/Introduction
Additional Information
