The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a newly patched vulnerability affecting Microsoft’s .NET and Visual Studio products in its Known Exploited Vulnerabilities (KEV) catalog. This decision comes in response to evidence indicating that the flaw is actively being exploited in the wild.
This vulnerability, tracked as CVE-2023-38180, carries a CVSS score of 7.5, categorizing it as high severity. It is related to a denial-of-service (DoS) condition that affects users of both .NET and Visual Studio products.
The issue was addressed by Microsoft during its August 2023 Patch Tuesday updates, which were released earlier this week. The company has classified this vulnerability with an assessment indicating that exploitation is increasingly likely.
While the specific details regarding exploitation remain somewhat elusive, Microsoft has acknowledged the existence of proof-of-concept exploit code. The advisory clarifies that attacks leveraging this vulnerability can be executed without requiring additional privileges or user interaction.
Affected software versions include ASP.NET Core 2.1, .NET 6.0, .NET 7.0, Microsoft Visual Studio 2022 version 17.2, and Microsoft Visual Studio 2022 versions 17.4 and 17.6. In light of this, CISA has urged Federal Civilian Executive Branch (FCEB) agencies to promptly apply vendor-provided fixes to mitigate risks associated with this specific vulnerability prior to August 30, 2023.
Critically, Microsoft emphasized in its advisory that while proof-of-concept exploit code exists, practical attack demonstrations may not be feasible across all systems. The code may require significant adjustment by a skilled attacker to be effective, indicating a nuanced threat landscape.
This incident highlights ongoing risks faced by businesses utilizing Microsoft development products. From a cybersecurity perspective, this vulnerability aligns with MITRE ATT&CK tactics including initial access and denial of service, which are essential for understanding the attack landscape and potential threat vectors.
Business owners should remain vigilant and ensure their systems are updated to counteract potential exploits stemming from this vulnerability. Keeping abreast of updates from CISA and Microsoft as well as adhering to best practices in vulnerability management can significantly reduce exposure to such risks.
