CVE-2025-26646: .NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability

Overview

Severity

High (CVSS 8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2025-May

Released

2025-05-13

Last Updated

2025-05-22

EPSS Score

0.24% (percentile: 46.5%)

Description

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.

FAQ

According to the CVSS metric, user interaction is required (UI:R) and privileges required  is low (PR:L). What does that mean for this vulnerability? An authorized attacker with standard user privileges could place a malicious file and then wait for the privileged victim to run the calling command.

Affected Products (11)

Developer Tools

• .NET 8.0 installed on Windows
• .NET 8.0 installed on Linux
• .NET 8.0 installed on Mac OS
• .NET 9.0 installed on Linux
• .NET 9.0 installed on Mac OS
• .NET 9.0 installed on Windows
• Microsoft Visual Studio 2022 version 17.12
• Microsoft Visual Studio 2022 version 17.13
• Microsoft Visual Studio 2022 version 17.8
• Microsoft Visual Studio 2022 version 17.10
• Build Tools for Visual Studio 2022

Security Updates (7)

• 5059200
• 5059201
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Revision History

• 2025-05-13: Information published.
• 2025-05-22: To comprehensively address CVE-2025-26646, Microsoft has released security updates on May 22, 2025 for Visual Studio 2022 version 17.10. In addition, updates .NET 8.0.313 and .NET 8.0.410 have been released for .NET SDKs 8.0.3xx and 8.0.4xx, respectively. For more information about the .NET updates see KB5059200. Microsoft recommends customers to install these updates to be fully protected from the vulnerability.