US Cybersecurity and Infrastructure Security Agency (CISA) added an actively exploited zero-day vulnerability CVE-2023-38180 (CVSS score 7.5) affecting .NET and Visual Studio to its Known Exploited Vulnerabilities Catalog.
The vulnerability can be exploited to trigger a denial-of-service (DoS) condition, Microsoft addressed it with the release of August 2023 Patch Tuesday security updates. Microsoft confirmed that vulnerable systems can be exploited without any interaction from any user, the exploitation doesn’t requires privileges.
Microsoft did not share technical details about the attacks exploiting this vulnerability.
The vulnerability impacts Visual Studio 2022 versions 17.2, 17.4 and 17.6, as well as .NET 6.0 and 7.0, and ASP.NET Core 2.1.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this flaw by August 30, 2023.
(SecurityAffairs – hacking, CISA)