CISA Adds Microsoft .NET Vulnerability to KEV Catalog Due to Active Exploitation

11-08-2023
Share
CISA Adds Microsoft .NET Vulnerability to KEV Catalog Due to Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched security flaw in Microsoft’s .NET and Visual Studio products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Tracked as CVE-2023-38180 (CVSS score: 7.5), the high-severity flaw relates to a case denial-of-service (DoS) impacting .NET and Visual Studio.

It was addressed by Microsoft as part of its August 2023 Patch Tuesday updates shipped earlier this week, tagging it with an “Exploitation More Likely” assessment.

“Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems,” the company said. “The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.”

Affected versions of the software include ASP.NET Core 2.1, .NET 6.0, .NET 7.0, Microsoft Visual Studio 2022 version 17.2, Microsoft Visual Studio 2022 version 17.4, and Microsoft Visual Studio 2022 version 17.6.

To mitigate potential risks, CISA has recommended Federal Civilian Executive Branch (FCEB) agencies to apply vendor-provided fixes for the vulnerability by August 30, 2023.

 

Source: https://thehackernews.com/