Security bypass in Microsoft .NET Framework

Published: 2017-05-09
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-0248
Exploitation vector Network
Public exploit N/A
Vulnerable software
Microsoft .NET Framework
Server applications / Frameworks for developing and running applications

Vendor Microsoft

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Security bypass


Risk: Low


CVE-ID: CVE-2017-0248

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No


The vulnerability allows a remote attacker to bypass certain security restrictions on the target system.

The weakness exists due to improper validation of certificates by Microsoft .NET Framework (and .NET Core) components. A remote attacker can force the usage of invalid certificates for certain use by affected component, disregard the Enhanced Key Usage taggings and bypass security restrictions.

Successful exploitation of the vulnerability results in security bypass.


Install update from vendor's website.

Vulnerable software versions

Microsoft .NET Framework: 2.0 - 4.7

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?