CVE-2023-36558 is a security feature bypass vulnerability identified in Microsoft .NET 6.0, specifically impacting ASP.NET Core applications. The vulnerability affects version 6.0.0 of the .NET 6.0 framework. This flaw allows an attacker with local access (as indicated by the CVSS vector AV:L) to bypass certain security features within ASP.NET Core, potentially leading to unauthorized access to sensitive data. The vulnerability does not require privileges (PR:N) or user interaction (UI:N) to be exploited, which increases the risk in environments where local access can be obtained. The attack complexity is low (AC:L), meaning exploitation does not require specialized conditions. The scope is unchanged (S:U), indicating the impact is confined to the vulnerable component without affecting other components. The primary impact is on confidentiality (C:H), with no direct impact on integrity (I:N) or availability (A:N). The exploitability is rated as proof-of-concept (E:P), and the remediation level is official (RL:O) with confirmed fix (RC:C). Although no known exploits are currently reported in the wild, the vulnerability represents a medium severity risk due to its potential to expose sensitive information by bypassing security controls in ASP.NET Core applications running on .NET 6.0. The absence of patch links suggests that remediation may require updating to a patched version once available or applying recommended mitigations from Microsoft.

For European organizations, especially those relying on ASP.NET Core applications hosted on .NET 6.0, this vulnerability poses a risk of unauthorized data disclosure if an attacker gains local access to the system. This could affect enterprises in sectors such as finance, healthcare, government, and critical infrastructure, where sensitive personal or operational data is processed. The confidentiality breach could lead to exposure of personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Since the vulnerability requires local access, the risk is higher in environments with shared hosting, insufficient network segmentation, or weak endpoint security. The lack of impact on integrity and availability limits the threat to data exposure rather than system disruption or data manipulation. However, the medium severity rating indicates that organizations should prioritize mitigation to prevent potential escalation or combined attacks leveraging this bypass.

1. Upgrade to the latest patched version of .NET 6.0 as soon as Microsoft releases an official fix addressing CVE-2023-36558. 2. Restrict local access to servers running ASP.NET Core applications by enforcing strict access controls, including multi-factor authentication and least privilege principles for administrative accounts. 3. Implement network segmentation to isolate critical application servers from less secure network zones, reducing the risk of local access by unauthorized users. 4. Monitor and audit local access logs and system events for unusual activity that could indicate attempts to exploit this vulnerability. 5. Employ application-level security controls such as data encryption at rest and in transit to minimize the impact of potential confidentiality breaches. 6. Conduct regular security assessments and penetration testing focusing on local privilege escalation and security feature bypass scenarios. 7. Educate system administrators and developers about this vulnerability and encourage prompt application of security updates and best practices in secure coding and deployment.