CVE-2025-7326

Summary

Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.

NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.

Affected Software

VendorProductVersion RangeStatus
MicrosoftASP.NET Core 6.0>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.Identity>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.win-arm>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.win-arm64>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.win-x64>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.win-x86>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.linux-arm>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.linux-arm64>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.linux-musl-arm>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.linux-musl-arm64>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.linux-musl-x64>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.linux-x64>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.osx-arm64>=6.0.0 <= 6.0.36affected
MicrosoftMicrosoft.AspNetCore.App.Runtime.osx-x64>=6.0.0 <= 6.0.36affected

Weaknesses

  • CWE-1390: CWE-1390: Weak Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References