VYPR
← All advisories
High severityNVD Advisory· Published Jan 14, 2025· Updated Feb 26, 2026

.NET Remote Code Execution Vulnerability

CVE-2025-21171

Description

.NET Remote Code Execution Vulnerability

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

.NET 9.0 Remote Code Execution vulnerability allows an unauthenticated attacker to execute arbitrary code by sending a crafted request to a vulnerable ASP.NET Core web server.

Vulnerability

Overview CVE-2025-21171 is a remote code execution (RCE) vulnerability in .NET 9.0.0 and earlier versions. The issue exists in the .NET runtime's handling of specially crafted requests, potentially allowing an attacker to corrupt memory or trigger arbitrary code execution when processed by a vulnerable web application [1]. Microsoft has not identified any mitigating factors, meaning all affected deployments are at risk.

Attack

Vector An unauthenticated attacker can exploit this vulnerability by sending a malicious HTTP request to a .NET web server running the affected version. No special network position or authentication is required; the attacker only needs network access to the service [1]. The request triggers a flaw in the .NET runtime, leading to memory corruption and code execution.

Impact

If successfully exploited, the attacker can achieve remote code execution in the context of the application pool, potentially gaining full control over the server. This could lead to data theft, service disruption, or further lateral movement within the network [1].

Mitigation

Microsoft released patched versions of .NET 9.0.1 for all platforms (linux, macOS, Windows). Developers should update their runtime and SDK packages to version 9.0.1 or later. Visual Studio users will be prompted to update automatically [1]. The vulnerability only affects .NET 9.0.0 and earlier; no other .NET versions are impacted.

References
  1. Microsoft Security Advisory CVE-2025-21171 | .NET Remote Code Execution Vulnerability

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.NetCore.App.Runtime.linux-armNuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.linux-arm64NuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.linux-x64NuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.osx-arm64NuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.osx-x64NuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.win-armNuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.win-arm64NuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.win-x64NuGet
>= 9.0.0, < 9.0.19.0.1
Microsoft.NetCore.App.Runtime.win-x86NuGet
>= 9.0.0, < 9.0.19.0.1

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.