The US government's main cybersecurity entity is warning of active exploits on a flaw in .NET and Visual Studio.
The Cybersecurity and Infrastructure Security Agency (CISA) said that federal agencies should patch CVE-2023-38180 as soon as possible after active attacks were spotted in the wild.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said in its advisory.
While CISA does not have much authority over private-sector companies, the agency's advisories are widely watched by the IT industry and used as a prompt to patch specific bugs.
The bug was addressed by Microsoft in this week's Patch Tuesday bundle. Users and administrators are advised to test out and patch the vulnerabilities as soon as possible.
CVE-2023-38180 describes a denial of service vulnerability in .NET and Visual Studio. In practice, a successful attack would require the attacker to have network access to the vulnerable system.
While denial of service flaws are generally considered less serious than other types of vulnerabilities, this bug received a relatively high common vulnerability scoring system (CVSS) score of 7.5 due to its availability.
Microsoft says that the exploit code for the flaw had been released as a proof of concept.
The vulnerability was one of 84 patches to be addressed in the Patch Tuesday update, and was lost in the mix as experts focused on bugs that had a higher severity score, such as remote code execution.
While Microsoft said at the time that no public exploits were available for any of the vulnerabilities, the day after Patch Tuesday releases are so notorious for exploit releases that its unofficial nickname in information security circles is "Exploit Wednesday."
That will be particularly true this week, as the community gathers in Las Vegas for the Black Hat and Defcon security conventions, a week otherwise known as "Hacker Summer Camp." No doubt many will be gathering for drinks and exchanging valuable security intelligence after having one (or several) too many.
Administrators overlook lower-severity vulnerabilities at their (and their company's) own peril. Attackers tend not to have much regard for CVSS scores, and supposedly low-risk vulnerabilities can often be "chained" together in exploits to create far greater risk.
