CVE-2025-7326
Description
Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.
CWE
- CWE-1390 — CWE-1390: Weak Authentication
Affected
- Microsoft / ASP.NET Core 6.0 — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.Identity — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.win-arm — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.win-arm64 — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.win-x64 — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.win-x86 — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.linux-arm — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.linux-arm64 — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.linux-musl-arm — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.linux-musl-x64 — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.linux-x64 — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.osx-arm64 — v=>=6.0.0 ≤6.0.36 [affected]
- Microsoft / Microsoft.AspNetCore.App.Runtime.osx-x64 — v=>=6.0.0 ≤6.0.36 [affected]
CVSS
- 3.1 score=7 severity=HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
References
- https://www.cve.org/CVERecord?id=CVE-2025-24070 related
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24070 vendor-advisory
- https://www.herodevs.com/vulnerability-directory/cve-2025-7326
Source
cvelistV5-main/cves/2025/7xxx/CVE-2025-7326.json