VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 14, 2025· Updated Feb 22, 2026

.NET, .NET Framework, and Visual Studio Information Disclosure Vulnerability

CVE-2025-55248

Description

Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A man-in-the-middle attacker can downgrade SMTP TLS connections in .NET 8 and 9, forcing unencrypted data disclosure.

Vulnerability

Analysis

The vulnerability lies in the SMTP client implementation of .NET 8.0 (up to version 8.0.20) and .NET 9.0 (up to version 9.0.9) [1][2]. Inadequate encryption strength allows a man-in-the-middle (MITM) attacker to interfere with the TLS negotiation between a .NET SMTP client and an SMTP server. The attacker can prevent the use of TLS, forcing the client to fall back to an unencrypted connection [1][2][3]. This is a downgrade attack that bypasses the intended transport security.

Exploitation

Prerequisites

An attacker must be positioned on the network path between the affected .NET application and the SMTP server, i.e., a MITM position. No special authentication or privileges beyond network access are required. The attack does not need any user interaction beyond the normal operation of the SMTP client [1][3]. There are no mitigating factors identified by Microsoft [2][3].

Impact

A successful attack allows the attacker to eavesdrop on all email communications transmitted by the affected application. Sensitive information such as credentials, message content, and recipient details can be disclosed over the network in plaintext [1]. The confidentiality of data processed by the SMTP client is fully compromised.

Mitigation

Microsoft has released patched versions: .NET 8.0.21 and .NET 9.0.10 [1][2][3]. Developers must update their applications to use these patched runtime packages. For a full list of affected package names (e.g., Microsoft.NetCore.App.Runtime.linux-x64), refer to the advisory tables. No workaround is available [1][2].

References
  1. Microsoft Security Advisory CVE-2025-55248: .NET Information Disclosure Vulnerability
  2. Microsoft Security Advisory CVE-2025-55248: .NET Information Disclosure Vulnerability
  3. Microsoft Security Advisory CVE-2025-55248: .NET Information Disclosure Vulnerability

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.NetCore.App.Runtime.linux-armNuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.linux-arm64NuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.linux-x64NuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.osx-arm64NuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.osx-x64NuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.win-armNuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.win-arm64NuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.win-x64NuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.win-x86NuGet
>= 9.0.0, < 9.0.109.0.10
Microsoft.NetCore.App.Runtime.linux-armNuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.linux-arm64NuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.linux-x64NuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.osx-arm64NuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.osx-x64NuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.win-armNuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.win-arm64NuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.win-x64NuGet
>= 8.0.0, < 8.0.218.0.21
Microsoft.NetCore.App.Runtime.win-x86NuGet
>= 8.0.0, < 8.0.218.0.21

Affected products

18
  • Microsoft/.net Frameworkllm-fuzzy
  • Microsoft/Netllm-fuzzy
  • Microsoft/Visual Studiollm-fuzzy
  • Microsoft/Microsoft .NET Framework 2.0 Service Pack 2v5
    Range: 2.0.0
  • Microsoft/Microsoft .NET Framework 3.0 Service Pack 2v5
    Range: 3.0.0
  • Microsoft/Microsoft .NET Framework 3.5v5
    Range: 3.5.0
  • Microsoft/Microsoft .NET Framework 3.5.1v5
    Range: 3.5.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8v5
    Range: 4.8.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8.1v5
    Range: 4.8.1
  • Microsoft/Microsoft .NET Framework 4.6.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 4.8v5
    Range: 4.8.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.10v5
    Range: 17.10.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.12v5
    Range: 17.12.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.14v5
    Range: 17.14.0
  • Microsoft/.NET 8.0v5
    Range: 8.0.0
  • Microsoft/.NET 9.0v5
    Range: 9.0.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.