CVE-2025-30399

| EUVD-2025-18115 HIGH
2025-06-13 [email protected] GHSA-266m-wp2v-x7mq
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 21:34 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:34 euvd
EUVD-2025-18115
CVE Published
Jun 13, 2025 - 02:15 nvd
HIGH 7.5

Tags

Microsoft Dotnet RCE Powershell Visual Studio 2022 .Net Redhat Suse

Description

Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network.

Analysis

CVE-2025-30399 is an untrusted search path vulnerability in .NET and Visual Studio that allows unauthenticated remote attackers to execute arbitrary code through a network vector, requiring user interaction. The vulnerability affects multiple versions of .NET Framework and Visual Studio across Windows platforms. While the CVSS score is 7.5 (high), the attack complexity is high and requires user interaction, potentially limiting real-world exploitation frequency.

Technical Context

This vulnerability exploits CWE-426 (Untrusted Search Path), a class of issues where applications search for resources (libraries, modules, configuration files) in directories that an attacker can control or manipulate. In the .NET and Visual Studio ecosystem, this typically manifests when the runtime or IDE searches for assemblies, NuGet packages, or supporting libraries in the current working directory or other writable locations before checking system-protected paths. The untrusted search path allows an attacker to place malicious .NET assemblies or components in predictable locations (e.g., project directories, temporary folders, or shared network paths), which are then loaded and executed with the privileges of the user running Visual Studio or the .NET application. The network attack vector (AV:N) suggests this can be triggered remotely, possibly through shared project files, compromised NuGet feeds, or remote filesystem access.

Affected Products

Based on the CVE description mentioning '.NET and Visual Studio,' affected product families likely include: Microsoft .NET Framework (multiple versions across Windows), .NET Core 6.x/7.x/8.x (if applicable to search path behavior), and Visual Studio 2019/2022 editions (Professional, Community, Enterprise). Specific CPE URIs would typically follow the pattern 'cpe:2.3:a:microsoft:.net_framework:*:*:*:*:*:*:*:*' and 'cpe:2.3:a:microsoft:visual_studio:*:*:*:*:*:windows:*:*'. Without access to the official Microsoft security advisory or NIST NVD detailed CPE list, specific version ranges cannot be definitively stated. Recommend consulting the official Microsoft Security Update Guide (MSRC) for CVE-2025-30399 to obtain exact version information and patch availability dates.

Remediation

1. **Immediate mitigation**: Configure Visual Studio and .NET projects to disable assembly search in untrusted directories; review environment PATH variables and remove writable locations from assembly resolution order. 2. **Patch deployment**: Obtain and deploy the latest security updates from Microsoft for affected .NET Framework versions and Visual Studio releases via Windows Update or the Visual Studio Installer. 3. **Access control**: Restrict project directories and shared development environments to authenticated users; implement filesystem permissions to prevent unauthorized modification of project folders. 4. **Best practices**: Validate NuGet package sources and use private package feeds; implement code signing and package integrity verification; avoid opening untrusted or downloaded projects without review. 5. **Vendor advisory**: Monitor the Microsoft Security Update Guide (portal.msrc.microsoft.com) and subscribe to .NET runtime and Visual Studio release notes for patch availability and timeline. As of the CVE issuance date, a security patch should be available; deploy according to your organizational patch management schedule.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Vendor Status

Ubuntu

Priority: Medium
dotnet6
Release Status Version
trusty DNE -
xenial DNE -
bionic DNE -
focal DNE -
jammy not-affected -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
dotnet7
Release Status Version
trusty DNE -
xenial DNE -
bionic DNE -
focal DNE -
jammy ignored see notes
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
dotnet8
Release Status Version
trusty DNE -
xenial DNE -
bionic DNE -
focal DNE -
jammy released 8.0.117-8.0.17-0ubuntu1~22.04.1
noble released 8.0.117-8.0.17-0ubuntu1~24.04.1
oracular released 8.0.117-8.0.17-0ubuntu1~24.10.1
plucky released 8.0.117-8.0.17-0ubuntu1~25.04.1
upstream needs-triage -
dotnet9
Release Status Version
trusty DNE -
xenial DNE -
bionic DNE -
focal DNE -
jammy DNE -
noble DNE -
oracular released 9.0.107-9.0.6-0ubuntu1~24.10.1
plucky released 9.0.107-9.0.6-0ubuntu1~25.04.1
upstream needs-triage -
USN-7563-1

Share

CVE-2025-30399 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy