The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a recently patched security flaw in Microsoft’s .NET and Visual Studio products to its Known Exploited Vulnerabilities (KEV) catalog. This is due to evidence of active exploitation.

The flaw, known as CVE-2023-38180 with a high-severity rating (CVSS score: 7.5), is a case denial-of-service (DoS) vulnerability that affects .NET and Visual Studio. Microsoft addressed this vulnerability in its August 2023 Patch Tuesday updates, which were released earlier this week. The company classified the flaw as “Exploitation More Likely.”

While specific details about the exploitation are not known, Microsoft has acknowledged the existence of a proof-of-concept (PoC) in its advisory. The company also stated that attacks utilizing this vulnerability can be carried out without any additional privileges or user interaction.

The affected software versions include ASP.NET Core 2.1, .NET 6.0, .NET 7.0, Microsoft Visual Studio 2022 versions 17.2, 17.4, and 17.6.

To minimize potential risks, CISA has recommended that Federal Civilian Executive Branch (FCEB) agencies apply the fixes provided by the vendor for this vulnerability by August 30, 2023.

