CVE-2025-21173: .NET Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Jan

Released

2025-01-14

EPSS Score

2.00% (percentile: 83.6%)

FAQ

What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could overwrite arbitrary file content in the security context of the local system. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that a user trigger the payload in the application. According to the CVSS metric, user interaction is required (UI:R) and privileges required  is low (PR:L). What does that mean for this vulnerability? An authorized attacker with standard user privileges could place a malicious file and then wait for the privileged victim to run the calling command.

Affected Products (6)

Developer Tools

• .NET 8.0 installed on Linux
• .NET 9.0 installed on Linux
• Microsoft Visual Studio 2022 version 17.12
• Microsoft Visual Studio 2022 version 17.6
• Microsoft Visual Studio 2022 version 17.8
• Microsoft Visual Studio 2022 version 17.10

Security Updates (6)

• 5050525
• 5050526
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

Noah Gilson with Microsoft, Daniel Plaisted with Microsoft

Revision History

• 2025-01-14: Information published.