CVE-2025-24070

Name of the Vulnerable Software and Affected Versions: ASP.NET Core versions prior to 9.0.3 ASP.NET Core versions prior to 8.0.14 ASP.NET Core versions prior to 6.0.37

Description: A vulnerability exists in ASP.NET Core applications calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege. The vulnerability is caused by weak authentication in ASP.NET Core and Visual Studio. An attacker could possibly use this issue to elevate privileges, execute arbitrary code, or cause a denial of service.

Recommendations: For ASP.NET Core version 9.0, update to .NET 9.0.3 Runtime or .NET 9.0.103 SDK. For ASP.NET Core version 8.0, update to .NET 8.0.14 Runtime. For ASP.NET Core version 6.0, update to .NET 6.0.37 Runtime. If your application references the vulnerable package, update the package reference to the patched version. Restart your apps for the update to take effect. If you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.