1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Microsoft fixes one of its "highest ever" rated security flaws -

    From TechnologyDaily@1337:1/100 to All on Mon Oct 20 17:30:08 2025
    Microsoft fixes one of its "highest ever" rated security flaws - here's what happened

    Date:
    Mon, 20 Oct 2025 16:27:00 +0000

    Description:
    An HTTP request smuggling bug was found in ASP.NET Core that could allow different security bypasses.

    FULL STORY ======================================================================CVE-2025 -55315 enables HTTP request smuggling in ASP.NET Cores Kestrel web server Attackers can bypass controls, access credentials, alter files, or crash the server Microsoft released updates for affected .NET and Visual Studio
    versions to mitigate the flaw

    Microsoft has confirmed it recently fixed its highest ever vulnerability plaguing its ASP.NET Core product.

    Described as an HTTP request smuggling bug, the vulnerability is tracked as CVE-2025-55315, and was given a severity score of 9.9/10 (critical).

    It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to smuggle secondary HTTP requests within the original request. How to update

    The smuggled one can help the attackers bypass different security controls;
    it was explained.

    "An attacker who successfully exploited this vulnerability could view sensitive information such as other user's credentials (Confidentiality) and make changes to file contents on the target server (Integrity), and they
    might be able to force a crash within the server (Availability)," Microsoft explained in its security advisory.

    Depending on which versions you are running, there are different ways to secure your infrastructure from potential attacks.

    Those running .NET 8 or later should install the .NET update from Microsoft Update, while those running .NET 2.3 should update the package reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile the
    application, and redeploy. Those running a self-contained/single-file application should install the .NET update, recompile, and redeploy.

    Microsoft has also released security updates for Microsoft Visual Studio
    2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as
    the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.

    On GitHub, .NET security technical program manager Barry Dorrans said that
    the bugs score would be nowhere near that high, but scores are based on how the bug might affect applications built on top of ASP.NET, so it really comes down to each individual app:

    We don't know what's possible because it's dependent on how you've written your app, he said. Thus, we score with the worst possible case in mind, a security feature bypass which changes scope.

    Via The Register

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
    Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too. You might also like Microsoft warns hackers have a new and devious way of distributing malware Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/microsoft-fixes-one-of-its-highest-ever -rated-security-flaws-heres-what-happened


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)