CVE-2025-30399: .NET and Visual Studio Remote Code Execution Vulnerability

Overview

Severity: High (CVSS 7.5)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category: Remote Code Execution
Exploit Status: Not Exploited
Exploitation Likelihood: Less Likely
Patch Tuesday: 2025-Jun
Released: 2025-06-10
Last Updated: 2025-07-08
EPSS Score: 0.25% (percentile: 48.5%)

Description

Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? This attack requires a victim to perform a specific action, such as copying files or executing a command, and for an attacker with appropriate access to have pre-planted malicious files with knowledge of where they should be placed on the victim's system. According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a specially crafted file to be placed either in an online directory or in a local network location. When a victim runs this file, it loads the malicious DLL.

Affected Products (12)

Developer Tools

PowerShell 7.4
PowerShell 7.5
.NET 8.0 installed on Windows
.NET 8.0 installed on Linux
.NET 8.0 installed on Mac OS
.NET 9.0 installed on Linux
.NET 9.0 installed on Mac OS
.NET 9.0 installed on Windows
Microsoft Visual Studio 2022 version 17.12
Microsoft Visual Studio 2022 version 17.8
Microsoft Visual Studio 2022 version 17.10
Microsoft Visual Studio 2022 version 17.14

Security Updates (7)

Acknowledgments

jony_juice

Revision History

2025-06-10: Information published.
2025-07-08: Revised the Security Updates table to include PowerShell 7.4 and PowerShell 7.5 because these versions of PowerShell 7 are affected by this vulnerability. See https://github.com/PowerShell/Announcements/issues/77 for more information.