CVE-2026-47303

Microsoft · .NET

An authentication bypass vulnerability in ASP.NET allows an authenticated attacker to manipulate data and gain unauthorized access.

Executive summary

A critical authentication bypass flaw in Microsoft .NET and Visual Studio allows authenticated attackers to escalate privileges through data manipulation.

Vulnerability

This vulnerability involves an authentication bypass due to the handling of assumed-immutable data in ASP, alongside potential LDAP injection risks. It requires the attacker to be authenticated at a low level to exploit the flaw.

Business impact

This vulnerability allows an attacker to bypass security controls, leading to unauthorized access and potential data manipulation. Given the CVSS score of 8.8, the impact is severe, potentially allowing an attacker to compromise the confidentiality, integrity, and availability of applications built on the .NET framework.

Remediation

Immediate Action: Update all instances of .NET and Visual Studio to the latest patched versions provided by Microsoft.

Proactive Monitoring: Audit application logs for suspicious authentication patterns or unusual LDAP query strings that may indicate an attempt to exploit this bypass.

Compensating Controls: Implement strict input validation and sanitization for all data used in authentication and authorization logic to prevent injection attacks.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

Organizations relying on the .NET framework must prioritize the application of these security updates. Given the potential for total impact on application security, testing and deploying these patches should be performed as part of an emergency update cycle.