Attack Chain

1. Attacker identifies a public-facing application or service built with a vulnerable Microsoft .Net or ASP.NET Core version (e.g., .NET 10.0 < 10.0.9, ASP.NET Core 8.0 < 8.0.28).
2. The attacker crafts a malicious input or request specifically designed to exploit CVE-2026-45491 or CVE-2026-45591, targeting the application's processing logic.
3. The vulnerable .Net or ASP.NET Core runtime processes the malformed data, triggering the vulnerability.
4. For denial of service (DoS) attacks, the vulnerability causes the application or underlying service to crash, hang, or consume excessive resources, making it unresponsive to legitimate users.
5. For data integrity compromise, the vulnerability allows unauthorized modification or corruption of data handled by the application, potentially leading to incorrect computations, unauthorized state changes, or other forms of data manipulation.
6. The application either becomes unavailable, experiences significant performance degradation, or operates with compromised data, directly impacting business operations and trust.

Impact

The successful exploitation of these vulnerabilities can lead to significant operational disruption and data reliability issues. A remote denial of service attack can render critical applications and services inaccessible, leading to financial losses, reputational damage, and inability to conduct business. Data integrity compromise can result in corrupted databases, inaccurate financial records, or manipulated user data, undermining trust and potentially leading to compliance violations or incorrect decision-making. While specific victim counts or targeted sectors are not detailed, any organization utilizing affected .Net or ASP.NET Core versions is at risk, particularly those with internet-facing applications.

Recommendation

• Immediately apply the security updates provided by Microsoft for all affected .NET and ASP.NET Core versions as referenced in the CERTFR-2026-AVI-0729 advisory and the MSRC bulletins for CVE-2026-45491 and CVE-2026-45591.
• Deploy the provided Sigma rules to your SIEM/EDR to detect potential exploitation attempts or post-exploitation activities related to the observed vulnerabilities.
• Enable comprehensive logging for web servers (like IIS or Kestrel) and application runtimes (dotnet.exe process creation) to capture anomalies that the rules are designed to detect.
• Monitor for excessive 5xx HTTP status codes in web server logs, which can indicate ongoing denial of service attempts or application crashes as per the Detect Excessive Web Server 5xx Errors rule.
• Enable process creation logging, especially for dotnet.exe or w3wp.exe, to detect suspicious child processes as per the Detect Suspicious Child Process from Dotnet Host rule.