Bug 2369701 (CVE-2025-30399)

Summary: CVE-2025-30399 dotnet: .NET Remote Code Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: saroy, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A remote code execution vulnerability in .NET 8.0 and 9.0. An attacker who can place malicious files in specific locations may trigger unintended code execution when the .NET runtime loads these files.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2371640, 2371641, 2371642, 2371643    
Bug Blocks:    
Deadline: 2025-06-10   

Comment 3 Sandipan Roy 2025-06-11 04:05:21 UTC 
Doc Text:
A remote code execution vulnerability in .NET 8.0 and 9.0. An attacker who can place malicious files in specific locations may trigger unintended code execution when the .NET runtime loads these files.

Statement:
This vulnerability is Important because it allows remote code execution at the runtime level, targeting the fundamental assembly loading mechanism of .NET. Unlike moderate flaws that may require complex chaining or rely on user interaction, this issue can be exploited simply by placing malicious files in specific directories that .NET probes during execution.
Comment 4 errata-xmlrpc 2025-06-11 07:00:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:8814 https://access.redhat.com/errata/RHSA-2025:8814
Comment 5 errata-xmlrpc 2025-06-11 07:10:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8812 https://access.redhat.com/errata/RHSA-2025:8812
Comment 6 errata-xmlrpc 2025-06-11 07:20:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:8813 https://access.redhat.com/errata/RHSA-2025:8813
Comment 7 errata-xmlrpc 2025-06-11 07:51:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:8816 https://access.redhat.com/errata/RHSA-2025:8816
Comment 8 errata-xmlrpc 2025-06-11 08:01:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:8817 https://access.redhat.com/errata/RHSA-2025:8817
Comment 9 errata-xmlrpc 2025-06-11 08:01:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8815 https://access.redhat.com/errata/RHSA-2025:8815
Comment 10 errata-xmlrpc 2025-06-16 01:46:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:9066 https://access.redhat.com/errata/RHSA-2025:9066