"If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves."
"This vulnerability arrives only six months after ASP.NET suffered one of its worst ever flaws, October's CVSS 9.9-rated CVE-2025-55315 in the Kestrel web server component."
"The current advisory goes on to compare the issue to MS10-070, an emergency patch for CVE-2010-3332, an infamous zero-day vulnerability in the way Windows ASP.NET handled cryptographic errors."
"In this case, the update itself should have already happened automatically for server builds, taking runtimes to the patched version 10.0.7."
Long-lived tokens embedded in applications pose significant security risks, allowing attackers to authenticate as privileged users and obtain legitimately-signed tokens. This vulnerability follows a severe flaw in ASP.NET, CVE-2025-55315, and is compared to the infamous MS10-070 zero-day vulnerability. Typically, flaws are addressed through updates or mitigations, but in this case, the necessary update should have been automatically applied to server builds, ensuring they run the patched version 10.0.7.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]