Executive Summary
Our security research team has identified that the recently disclosed vulnerability CVE-2025-24070, an elevation of privilege vulnerability in ASP.NET Core, also affects .NET 6 applications despite not being mentioned in Microsoft’s official security advisory. As part of our Endless Lifecycle Support (ELS) program for .NET 6, which delivers long-term end-of-life patches, we have analyzed this vulnerability thoroughly and developed a patch that addresses this issue for our customers still operating on this platform.
Understanding the Vulnerability
CVE-2025-24070 is classified as a high-severity vulnerability (CVSS v3 score: 7.0) that exists in ASP.NET Core applications. The vulnerability centers around the RefreshSignInAsync method, which could allow an attacker to impersonate another user’s account, resulting in unauthorized elevation of privileges.
Specifically, this vulnerability allows an attacker to call RefreshSignInAsync and pass a different user parameter than the one currently authenticated, with ASP.NET Core accepting this request. This security flaw presents potential for remote exploitation and could lead to significant security breaches in affected applications.
Affected Versions
Microsoft’s advisory explicitly mentions ASP.NET Core 9.0, ASP.NET Core 8.0, and ASP.NET Core 2.3 as the affected versions, since those are the versions currently being officially supported by them. Our investigation confirms that .NET 6 applications are similarly vulnerable.
Officially documented affected versions include:
- ASP.NET Core 9.0.2 and earlier
- ASP.NET Core 8.0.13 and earlier
- ASP.NET Core 2.3.0 and earlier
Our addition: .NET 6 applications using the ASP.NET Core Identity components
Technical Details
The vulnerability exists in ASP.NET Core’s authentication mechanism, specifically within the SignInManager class when handling the RefreshSignInAsync method. The vulnerability allows the RefreshSignInAsync method to accept a user parameter that does not match the currently authenticated user.
Under normal circumstances, refreshing a sign-in should only work for the currently authenticated user. However, due to insufficient validation, an attacker could:
- Obtain a valid authentication session
- Call RefreshSignInAsync with parameters for a different user account
- Successfully elevate their privileges to that of the specified account
The patch implemented by Microsoft for supported versions modifies the RefreshSignInAsync method to validate that the user ID of the supplied user parameter matches the user ID of the currently authenticated user. If they don’t match, the operation fails silently (in patch versions) or throws an exception (in newer versions).
Our Solution for .NET 6 Users
As part of our commitment to providing Endless Lifecycle Support for .NET 6, we have:
- Developed a security patch that brings the same protection to .NET 6 applications
- Thoroughly tested this patch to ensure both security and compatibility
- Made it available immediately to all our customers on our support plan
Our patch implements the same security checks that Microsoft has added to supported versions, ensuring that RefreshSignInAsync can only refresh the sign-in for the currently authenticated user.
Recommended Actions
If you are running .NET 6 applications, we strongly recommend taking the following actions:
- Apply our security patch immediately to protect against potential exploitation
- Audit your application’s authentication code, particularly any custom implementations involving RefreshSignInAsync
- Implement proper logging to detect potential exploitation attempts
How to Obtain the Fix
Customers enrolled in our Endless Lifecycle Support program can download the security patch from our repository. The update can be applied with minimal downtime and does not require application code changes.
Not currently a customer? You can learn more about our Endless Lifecycle Support for legacy .NET here.
Final Thoughts
This discovery underscores the importance of extended support for frameworks that have reached end of life from their vendors but remain in widespread use. Our security research team remains vigilant in identifying vulnerabilities that affect all versions of .NET, regardless of their official support status.
By providing security patches for .NET 6, we help organizations maintain secure operations while planning their migration strategy at a pace that makes business sense.
CVE-2025-24070 | CVSS v3 Score: 7.0 (High) | March 25, 2025
Summary
Critical .NET Security Alert: CVE-2025-24070 Impacts .NET 6
Description
Our security research team has identified that the recently disclosed vulnerability CVE-2025-24070 . Read more about this topic here
Author
Joao Correia
TuxCare
Publisher Logo
💸 Affordable Cloud Servers in Argentina! 🚀
At Full Tech Solutions, we offer Affordable Cloud Servers with high performance and advanced security, perfect for entrepreneurs, businesses, and developers looking for power at a budget-friendly price.
💰 Competitive Pricing: Power and flexibility without breaking the bank.
⚡ High Performance: Speed and stability for your applications.
🔒 Advanced Security: Protect your data with cutting-edge technology.
📞 24/7 Support: Our experts are ready to assist you anytime.
Don’t compromise quality for cost. Choose Full Tech Solutions and get the best affordable cloud servers in Argentina.
🌐 Scale your project with performance and savings!
