.NET and Visual Studio Elevation of Privilege Vulnerability
Description
.NET and Visual Studio Elevation of Privilege Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An elevation of privilege vulnerability in .NET diagnostic server allows cross-session/cross-user code execution.
Vulnerability
Overview
CVE-2023-33127 is an elevation of privilege vulnerability in .NET and Visual Studio. The flaw resides in the diagnostic server component of .NET applications, which can be exploited to achieve cross-session and cross-user elevation of privilege (EoP) and remote code execution [1][2]. The vulnerability affects .NET 7.0 (versions 7.0.8 and earlier) and .NET 6.0 (versions 6.0.19 and earlier), including specific runtime packages for Windows desktops [1][2].
Exploitation
Details
The vulnerability does not require authentication to exploit, as the diagnostic server is exposed to other users on the same system. An attacker with low privileges on the local machine can leverage the diagnostic server's flaws to execute code in the context of another user or session [1][2]. Microsoft has not identified any mitigating factors for this vulnerability [1][2].
Impact
Successful exploitation allows an attacker to escalate privileges from a low-integrity context to a higher integrity level, potentially leading to full system compromise. The CVSS score is not provided in the references, but the advisory classifies this as an elevation of privilege vulnerability [3].
Mitigation
Microsoft released patches in .NET 7.0.9 and .NET 6.0.20, as well as updated Windows Desktop runtime packages for affected architectures [1][2]. Developers should update their .NET SDKs and runtime installations immediately. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of July 2023.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.WindowsDesktop.App.Runtime.win-arm64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.WindowsDesktop.App.Runtime.win-arm64NuGet | >= 6.0.0, < 6.0.20 | 6.0.20 |
Microsoft.WindowsDesktop.App.Runtime.win-x64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.WindowsDesktop.App.Runtime.win-x64NuGet | >= 6.0.0, < 6.0.20 | 6.0.20 |
Microsoft.WindowsDesktop.App.Runtime.win-x86NuGet | >= 6.0.0, < 6.0.20 | 6.0.20 |
Microsoft.WindowsDesktop.App.Runtime.win-x86NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Affected products
13- osv-coords5 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.windowsdesktop.app.runtime.win-arm64pkg:nuget/microsoft.windowsdesktop.app.runtime.win-x64pkg:nuget/microsoft.windowsdesktop.app.runtime.win-x86
>= 6.0.0, < 6.0.20+ 4 more
- (no CPE)range: >= 6.0.0, < 6.0.20
- (no CPE)range: >= 6.0.0, < 6.0.20
- (no CPE)range: >= 7.0.0, < 7.0.9
- (no CPE)range: >= 7.0.0, < 7.0.9
- (no CPE)range: >= 6.0.0, < 6.0.20
- Microsoft/Microsoft Visual Studio 2022 version 17.0v5Range: 17.0.0
- Microsoft/Microsoft Visual Studio 2022 version 17.2v5Range: 17.2.0
- Microsoft/Microsoft Visual Studio 2022 version 17.4v5Range: 17.4.0
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET 7.0v5Range: 7.0.0
- Microsoft/PowerShell 7.2v5Range: 7.2.0
- Microsoft/PowerShell 7.3v5Range: 7.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-485r-rp8v-998vghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33127ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-33127ghsaADVISORY
- github.com/dotnet/announcements/issues/263ghsaWEB
- github.com/dotnet/runtime/security/advisories/GHSA-485r-rp8v-998vghsaWEB
News mentions
0No linked articles in our index yet.