CVE-2023-35390 Overview
CVE-2023-35390 is a remote code execution vulnerability affecting Microsoft .NET and Visual Studio 2022. This command injection flaw (CWE-77) allows attackers to execute arbitrary code on vulnerable systems when a user interacts with maliciously crafted content. The vulnerability requires local access and user interaction, but once exploited, can lead to complete system compromise with full confidentiality, integrity, and availability impact.
Critical Impact
Successful exploitation allows attackers to execute arbitrary code with the privileges of the current user, potentially leading to complete system compromise.
Affected Products
- Microsoft .NET (multiple versions)
- Microsoft Visual Studio 2022 (multiple versions)
Discovery Timeline
- August 8, 2023 - CVE-2023-35390 published to NVD
- January 1, 2025 - Last updated in NVD database
Technical Details for CVE-2023-35390
Vulnerability Analysis
This vulnerability is classified as a command injection flaw (CWE-77), which occurs when an application constructs command strings using untrusted input without proper sanitization. In the context of .NET and Visual Studio, this vulnerability can be triggered when processing specially crafted project files or other development artifacts. The attack requires local access and user interaction—meaning a victim must open or interact with a malicious file—but once triggered, the attacker gains code execution capabilities with the same privileges as the running application.
Root Cause
The root cause of CVE-2023-35390 is improper neutralization of special elements used in a command. When processing certain inputs, the affected .NET and Visual Studio components fail to adequately sanitize user-controlled data before incorporating it into command strings that are subsequently executed. This allows attackers to inject malicious commands that break out of the intended command context and execute arbitrary system commands.
Attack Vector
The attack vector for this vulnerability is local, requiring an attacker to convince a user to open a maliciously crafted file or project. Typical attack scenarios include:
- An attacker crafts a malicious .NET project file or solution containing command injection payloads
- The attacker distributes the malicious file via email, code repositories, or other channels
- When a victim opens the file in Visual Studio or processes it with .NET tooling, the injected commands execute
- The attacker achieves code execution with the victim's privileges
The vulnerability does not require elevated privileges to exploit, but user interaction is required. Once exploited, the impact to confidentiality, integrity, and availability is high.
Detection Methods for CVE-2023-35390
Indicators of Compromise
- Unusual process spawning from Visual Studio or dotnet.exe processes
- Unexpected command-line execution patterns originating from development tools
- Suspicious network connections initiated by .NET or Visual Studio processes
- Anomalous file system modifications in user directories following development tool usage
Detection Strategies
- Monitor for child processes spawned by devenv.exe or dotnet.exe that execute suspicious commands (cmd.exe, powershell.exe with encoded commands)
- Implement application whitelisting to detect unauthorized executables launched from development environments
- Use endpoint detection and response (EDR) solutions to identify command injection patterns
- Review and audit .NET project files before opening from untrusted sources
Monitoring Recommendations
- Enable process creation auditing on development workstations
- Configure SIEM rules to alert on unusual process hierarchies involving Visual Studio
- Monitor for modifications to .csproj, .sln, and other project files from external sources
- Implement file integrity monitoring for development tool configurations
How to Mitigate CVE-2023-35390
Immediate Actions Required
- Apply Microsoft security updates immediately for all affected .NET and Visual Studio installations
- Avoid opening .NET projects or solutions from untrusted sources until patches are applied
- Review any recently opened projects from external sources for suspicious content
- Enable Microsoft Defender for Endpoint or SentinelOne for enhanced detection capabilities
Patch Information
Microsoft has released security updates to address this vulnerability. Patches are available through the Microsoft Security Update Guide. Organizations using Fedora should also review the Fedora Package Announcements for updated .NET packages.
To update Visual Studio 2022, use the Visual Studio Installer or check for updates within the IDE. For standalone .NET installations, download the latest SDK and runtime versions from the official Microsoft .NET download page.
Workarounds
- Implement strict policies against opening development projects from untrusted sources
- Use sandboxed or virtual environments when examining untrusted code repositories
- Configure Windows Defender Application Control (WDAC) policies to restrict script execution
- Enable controlled folder access to prevent unauthorized modifications to sensitive directories
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
