#VU109148 External Control of File Name or Path in Microsoft products - CVE-2025-26646

Cybersecurity Help s.r.o.

Published: 2025-05-13

Vulnerability identifier: #VU109148

Vulnerability risk: Medium

CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-26646

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
.NET
Other software / Other software solutions
Build Tools for Visual Studio
Other software / Other software solutions
.NET for Linux
Universal components / Libraries / Software for developers
.NET for macOS
Universal components / Libraries / Software for developers
Visual Studio
Universal components / Libraries / Software for developers

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to compromise th target system.

The vulnerability exists due to external control of file name or path in .NET, Visual Studio and Build Tools for Visual Studio. A remote user can perform spoofing attack on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

.NET: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.10, 8.0.11, 8.0.12, 8.0.13, 8.0.14, 8.0.15, 9.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4

.NET for Linux: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.0.11, 8.0.12 8.0.12, 9.0.0, 9.0.1 9.0.1

.NET for macOS: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.0.11, 8.0.12 8.0.12, 9.0.0, 9.0.1 9.0.1

Visual Studio: 17.8.0 17.8.34309.116, 17.8.1 17.8.34316.72, 17.8.2 17.8.34322.80, 17.8.3 17.8.34330.188, 17.8.4 17.8.34408.163, 17.8.5 17.8.34511.84, 17.8.6 17.8.34525.116, 17.8.7 17.8.34601.278, 17.8.8 17.8.34701.33, 17.8.9 17.8.34728.176, 17.8.10 17.8.34902.127, 17.8.11 17.8.34931.61, 17.8.12 17.8.35027.43, 17.8.13 17.8.35201.163, 17.8.14 17.8.35230.98, 17.8.15 17.8.35326.199, 17.8.16 17.8.35430.204, 17.8.17 17.8.35707.121, 17.8.18 17.8.18, 17.8.19 17.8.19, 17.8.20 17.8.20, 17.10.0 17.10.34916.146, 17.10.1 17.10.34928.147, 17.10.2 17.10.35004.147, 17.10.3 17.10.35013.160, 17.10.4 17.10.35027.167, 17.10.5 17.10.35122.118, 17.10.6 17.10.35201.131, 17.10.7 17.10.35230.96, 17.10.8 17.10.35326.205, 17.10.9 17.10.35431.56, 17.10.10 17.10.35707.196, 17.10.11 17.10.11, 17.10.12 17.10.12, 17.10.13 17.10.13, 17.12.0 17.12.35506.116, 17.12.1 17.12.35514.174, 17.12.2 17.12.35521.163, 17.12.3 17.12.35527.113, 17.12.4 17.12.35707.178, 17.12.5 17.12.5, 17.12.6 17.12.6, 17.12.7 17.12.7, 17.13.0 17.13.35806.99, 17.13.1, 17.13.2, 17.13.3 17.13.3, 17.13.4, 17.13.5, 17.13.6 17.13.6

Build Tools for Visual Studio: All versions

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-26646

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 10 update for .NET 9.0

Red Hat Enterprise Linux 10 update for .NET 8.0

Red Hat Enterprise Linux 9 update for .NET 8.0

Red Hat Enterprise Linux 8 update for .NET 8.0

Red Hat Enterprise Linux 8 update for .NET 9.0

External Control of File Name or Path in Microsoft .NET, Visual Studio and Build Tools for Visual Studio