The United States’ Cybersecurity and Infrastructure Security Agency (CISA) has flagged a recently rectified vulnerability in Microsoft’s .NET and Visual Studio suite in its Known Exploited Vulnerabilities (KEV) directory due to indications of ongoing exploitation.
Identified as CVE-2023-38180 with a CVSS rating of 7.5, this elevated-risk issue is connected to a denial-of-service (DoS) occurrence affecting .NET and Visual Studio.
Microsoft addressed this during their August 2023 Patch Tuesday rollouts released a few days ago, marking it with a “High Likelihood of Exploitation” evaluation.
Although the specifics about the exploitation remain vague, Microsoft has confirmed a proof-of-concept (PoC) in their advisory note. Additionally, the tech giant mentioned that malevolent actors can exploit this vulnerability without needing any added privileges or inducing user involvement.
“The availability of a proof-of-concept exploit suggests potential, though it may not be universally applicable and might demand significant alterations by an adept attacker,” the company noted.
Software versions impacted encompass ASP.NET Core 2.1, .NET 6.0, .NET 7.0, Microsoft Visual Studio 2022 version 17.2, Microsoft Visual Studio 2022 version 17.4, and Microsoft Visual Studio 2022 version 17.6.