CVE-2025-7326

Description

Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.

CVSS breakdown

Affected products

• Microsoft / ASP.NET Core 6.0>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.linux-arm>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.linux-arm64>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.linux-musl-arm>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.linux-musl-x64>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.linux-x64>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.osx-arm64>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.osx-x64>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.win-arm>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.win-arm64>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.win-x64>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.App.Runtime.win-x86>=6.0.0 – 6.0.36
• Microsoft / Microsoft.AspNetCore.Identity>=6.0.0 – 6.0.36

References

• CONFIRMhttps://www.cve.org/CVERecord?id=CVE-2025-24070
• VENDOR_ADVISORYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24070
• MISChttps://www.herodevs.com/vulnerability-directory/cve-2025-7326