Microsoft ASP.NET Privilege Escalation Vulnerability, CVSS 9.1 Critical
Summary
CERT-Bund, Germany's Federal Computer Emergency Response Team, issued a critical security advisory (WID-SEC-2026-1213) on 21 April 2026 regarding a privilege escalation vulnerability in Microsoft ASP.NET. The flaw, affecting versions prior to 10.0.7, carries a CVSS Base Score of 9.1 (Critical) and a Temporal Score of 7.9 (High), with confirmed remote attack feasibility. Mitigation measures are available, and the current status is dated 22 April 2026. Organizations running vulnerable Microsoft ASP.NET deployments should treat this as an immediate patching priority given the critical severity rating and confirmed remote exploitability.
“Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Microsoft ASP.NET ausnutzen, um seine Privilegien zu erhöhen.”
Organizations running Microsoft ASP.NET web applications and services should treat this as an immediate patching priority — the CVSS 9.1 score and confirmed remote exploitability by anonymous attackers create near-term exposure regardless of compensating controls. While no specific compliance deadline is mandated by the advisory itself, the critical severity rating and availability of mitigation measures effectively require prompt action.
About this source
GovPing monitors CERT-Bund Security Advisories for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 368 changes logged to date.
What changed
CERT-Bund published a critical security advisory warning of a privilege escalation vulnerability in Microsoft ASP.NET affecting all versions prior to 10.0.7. The vulnerability carries a CVSS Base Score of 9.1 (Critical) and a Temporal Score of 7.9 (High), with confirmed remote attack capability and an anonymous attacker profile. Mitigation is available, and the advisory carries a status date of 22 April 2026.
Organizations operating Microsoft ASP.NET-based web applications, web services, or dynamic web pages face immediate security risk from this critical-rated flaw. System administrators and security teams should identify affected ASP.NET deployments, apply available patches to upgrade to version 10.0.7 or later, and verify mitigation effectiveness given the confirmed remote exploitability and high attack complexity.
Archived snapshot
Apr 22, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
[WID-SEC-2026-1213] Microsoft ASP.NET: Schwachstelle ermöglicht Privilegieneskalation CVSS Base Score 9.1 (kritisch) CVSS Temporal Score 7.9 (hoch) Remoteangriff ja Datum 21.04.2026 Stand 22.04.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Windows
Produktbeschreibung
Microsoft ASP.NET (Active Server Pages .NET) ist eine Technologie zum Erstellen dynamischer Webseiten, Webanwendungen und Webservices auf Basis des Microsoft .NET-Frameworks.
Produkte
21.04.2026
- Microsoft ASP.NET <10.0.7
Angriff
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Microsoft ASP.NET ausnutzen, um seine Privilegien zu erhöhen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Parties
Related changes
Get daily alerts for CERT-Bund Security Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CERT-Bund.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.