CVE-2025-55247 Overview
CVE-2025-55247 is an improper link resolution vulnerability in Microsoft .NET that allows an authorized local attacker to elevate privileges. The flaw is classified under [CWE-59] (link following) and affects .NET runtime components that process file paths without validating symbolic or hard link targets. An attacker with low privileges on the system can craft a malicious link that redirects file operations performed by a higher-privileged .NET process, leading to file writes or accesses outside the intended trust boundary.
Critical Impact
Successful exploitation grants the attacker the privileges of the targeted .NET process, which can include SYSTEM or root-level access on affected hosts.
Affected Products
- Microsoft .NET (multiple supported versions, see vendor advisory)
- Linux kernel hosts running .NET workloads
- Windows hosts running .NET applications and services
Discovery Timeline
- 2025-10-14 - CVE-2025-55247 published to NVD
- 2025-10-14 - Microsoft releases security update for CVE-2025-55247
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2025-55247
Vulnerability Analysis
The vulnerability stems from how .NET resolves file paths during privileged file operations. When a .NET component opens, writes, or modifies a file using a path that includes a symbolic link or junction, the runtime follows the link without verifying that the resolved target is within an expected directory or owned by the appropriate principal. A local attacker who can create links in a directory accessed by a privileged .NET process can redirect the operation to arbitrary files on the system.
Exploitation requires local access, low privileges, and user interaction with the affected component. The attack does not traverse the network and does not require administrative rights to stage the malicious link. Once triggered, the privileged process performs the file operation against the attacker-controlled target, which can result in arbitrary file overwrite, configuration tampering, or replacement of binaries loaded by privileged services.
Root Cause
The root cause is the absence of link validation before file access in affected .NET file-handling routines. The runtime trusts the supplied path and follows kernel-level link resolution semantics rather than canonicalizing the path and checking it against a permitted location. This pattern is a classic time-of-check to time-of-use weakness combined with [CWE-59] link following.
Attack Vector
A local attacker plants a symbolic link, hard link, or filesystem junction in a directory that a privileged .NET process reads or writes. The attacker then induces the privileged process to perform the file operation, typically by triggering an installer, updater, or service action that touches the controlled directory. The privileged process resolves the link and performs the operation against the attacker-chosen target file. On Linux this commonly involves symlink() placement in shared directories such as /tmp; on Windows it involves NTFS junctions or object manager symlinks.
No public proof-of-concept code is available for CVE-2025-55247. Refer to the Microsoft Security Update CVE-2025-55247 advisory for vendor technical details.
Detection Methods for CVE-2025-55247
Indicators of Compromise
- Creation of symbolic links, hard links, or NTFS junctions in directories used by .NET installers, updaters, or services by non-privileged users.
- Unexpected file writes or replacements in protected directories such as C:\Program Files\dotnet\, /usr/share/dotnet/, or service configuration paths.
- Privileged .NET processes opening files outside their normal working directory shortly after low-privileged user activity in shared temp directories.
Detection Strategies
- Audit filesystem telemetry for symlink, link, and CreateSymbolicLink operations targeting paths consumed by dotnet.exe, dotnet, or related runtime binaries.
- Correlate process ancestry to identify cases where a low-privileged process creates a link immediately before a privileged .NET process accesses the same path.
- Hunt for file handle opens by SYSTEM or root .NET processes that resolve to user-writable directories.
Monitoring Recommendations
- Enable Windows Sysmon Event ID 11 (FileCreate) and Event ID 15 (FileCreateStreamHash) on .NET runtime directories.
- Enable Linux auditd rules on symlinkat, linkat, and openat syscalls targeting .NET installation and cache paths.
- Forward endpoint and audit telemetry to a centralized data lake for retrospective hunting once patch rollout is verified.
How to Mitigate CVE-2025-55247
Immediate Actions Required
- Apply the Microsoft security update referenced in the vendor advisory to all affected .NET runtimes and SDKs.
- Inventory hosts running .NET workloads on Windows and Linux and prioritize patching for servers running privileged .NET services.
- Restrict interactive local access on multi-user systems running .NET applications until patches are deployed.
Patch Information
Microsoft released fixed .NET runtime and SDK builds on October 14, 2025. Administrators should install the latest cumulative update for each supported .NET major version on every affected host. On Linux, update the dotnet-runtime and dotnet-sdk packages through the distribution package manager or Microsoft package feed. Validate the patched version by running dotnet --info and confirming the runtime version matches the fixed release.
Workarounds
- Remove unused .NET runtimes and SDKs to reduce the attack surface where patching cannot be performed immediately.
- Restrict write permissions on directories accessed by privileged .NET processes so that low-privileged users cannot plant links.
- Disable creation of symbolic links by non-administrative users on Windows by removing the SeCreateSymbolicLinkPrivilege right from standard user accounts.
# Verify installed .NET runtime versions and confirm patched build
dotnet --list-runtimes
dotnet --list-sdks
# Linux: update Microsoft .NET packages
sudo apt-get update && sudo apt-get install --only-upgrade dotnet-runtime-8.0 dotnet-sdk-8.0
# Windows: remove symlink creation privilege from standard users
secedit /export /cfg C:\secpol.cfg
# Edit SeCreateSymbolicLinkPrivilege line to remove non-admin SIDs, then:
secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
