ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability
Description
Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Weak authentication in ASP.NET Core's RefreshSignInAsync allows an attacker to sign into another user's account, leading to elevation of privilege.
Vulnerability
Overview
CVE-2025-24070 is a weak authentication vulnerability in ASP.NET Core and Microsoft.AspNetCore.Identity. The flaw occurs when an application calls the RefreshSignInAsync method with an improperly authenticated user parameter. This insufficient proof of identity, as defined by CWE-1390, could allow an unauthorized attacker to sign into another user's account over a network [1][2].
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must be able to send crafted network requests to an affected ASP.NET Core application that utilizes the RefreshSignInAsync method. No specific authentication or additional privileges are mentioned as prerequisites, meaning the attack can be launched remotely without prior access [1]. The vulnerability affects ASP.NET Core 6.0.0 through 6.0.36, 8.0.0 through 8.0.13, 9.0.0 through 9.0.2, and the Microsoft.AspNetCore.Identity package version 2.3.0 and earlier [1][2].
Impact
Successful exploitation results in an elevation of privilege, where the attacker can assume the identity of another user. This could lead to unauthorized access to sensitive data or actions performed under the guise of a legitimate user, compromising the application's security posture [1].
Mitigation
Microsoft has released patched versions to address this vulnerability. For ASP.NET Core 9.0, the fix is included in version 9.0.3; for 8.0, version 8.0.14; and for 6.0, version 6.0.37. The Microsoft.AspNetCore.Identity package is patched in version 2.3.1. Developers are advised to update their applications immediately [1][2]. No known workarounds are available, as Microsoft stated there are no mitigating factors [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.IdentityNuGet | >= 2.3.0, < 2.3.1 | 2.3.1 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 8.0.0, < 8.0.14 | 8.0.14 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 9.0.0, < 9.0.3 | 9.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 6.0.0, <= 6.0.36 | — |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 6.0.0, <= 6.0.36 | — |
Affected products
48- osv-coords42 versionspkg:bitnami/aspnet-corepkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86pkg:nuget/microsoft.aspnetcore.identitypkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-9.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-9.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-9.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-apphost-pack-9.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-hostfxr-9.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-9.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-9.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-9.0pkg:rpm/almalinux/dotnet-sdk-9.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-aot-9.0pkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-dbg-9.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-targeting-pack-9.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/dotnet-templates-9.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 8.0.0, < 8.0.14+ 41 more
- (no CPE)range: >= 8.0.0, < 8.0.14
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 8.0.0, < 8.0.14
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 9.0.0, < 9.0.3
- (no CPE)range: >= 8.0.0, < 8.0.14
- (no CPE)range: >= 2.3.0, < 2.3.1
- (no CPE)range: < 8.0.14-1.el9_5
- (no CPE)range: < 9.0.3-1.el8_10
- (no CPE)range: < 8.0.14-1.el9_5
- (no CPE)range: < 9.0.3-1.el8_10
- (no CPE)range: < 8.0.14-1.el9_5
- (no CPE)range: < 9.0.3-1.el8_10
- (no CPE)range: < 9.0.104-1.el8_10
- (no CPE)range: < 8.0.14-1.el9_5
- (no CPE)range: < 9.0.3-1.el8_10
- (no CPE)range: < 9.0.3-1.el8_10
- (no CPE)range: < 8.0.14-1.el9_5
- (no CPE)range: < 9.0.3-1.el8_10
- (no CPE)range: < 8.0.14-1.el9_5
- (no CPE)range: < 9.0.3-1.el8_10
- (no CPE)range: < 8.0.14-1.el9_5
- (no CPE)range: < 9.0.3-1.el8_10
- (no CPE)range: < 8.0.114-1.el9_5
- (no CPE)range: < 8.0.114-1.el9_5
- (no CPE)range: < 9.0.104-1.el8_10
- (no CPE)range: < 9.0.104-1.el8_10
- (no CPE)range: < 9.0.104-1.el8_10
- (no CPE)range: < 8.0.114-1.el9_5
- (no CPE)range: < 9.0.104-1.el8_10
- (no CPE)range: < 8.0.14-1.el9_5
- (no CPE)range: < 9.0.3-1.el8_10
- (no CPE)range: < 8.0.114-1.el9_5
- (no CPE)range: < 9.0.104-1.el8_10
- (no CPE)range: < 9.0.104-1.el8_10
- Microsoft/ASP.NET Core 8.0v5Range: 8.0
- Microsoft/ASP.NET Core 9.0v5Range: 9.0
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10.0
- Microsoft/Microsoft Visual Studio 2022 version 17.12v5Range: 17.12.0
- Microsoft/Microsoft Visual Studio 2022 version 17.13v5Range: 17.13.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-2865-hh9g-w894ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24070ghsavendor-advisorypatchWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24070ghsaADVISORY
- github.com/dotnet/aspnetcore/security/advisories/GHSA-2865-hh9g-w894ghsaWEB
- www.herodevs.com/vulnerability-directory/cve-2025-24070ghsaWEB
News mentions
0No linked articles in our index yet.