CVE-2025-36854 is a high-severity use-after-free vulnerability (CWE-416) affecting Microsoft .NET 6.0, specifically impacting End Of Life (EOL) ASP.NET versions 6.0.0 through 6.0.36. The vulnerability arises from a race condition when closing an HTTP/3 stream while application code is concurrently writing to the response body. This race condition can cause the application to reference memory that has already been freed, leading to undefined behavior. Exploitation of this flaw can result in remote code execution (RCE), allowing an attacker to execute arbitrary code on the affected system without authentication or user interaction. The vulnerability also affects self-contained .NET applications targeting these impacted versions, which must be recompiled and redeployed to mitigate risk. Notably, Microsoft has declared these versions as EOL and will not provide security updates or support, increasing the risk for organizations continuing to use these versions. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability, with network attack vector but requiring high attack complexity. No known exploits are currently in the wild, but the potential for severe impact exists given the nature of RCE and the widespread use of .NET in enterprise environments.

For European organizations, the impact of CVE-2025-36854 is significant due to the widespread adoption of Microsoft .NET technologies in enterprise web applications and services. Exploitation could lead to full system compromise, data breaches, service disruption, and lateral movement within corporate networks. Critical infrastructure, financial institutions, healthcare providers, and government agencies relying on ASP.NET 6.0 EOL versions are particularly at risk. The lack of vendor support and patches for these EOL versions means organizations must rely on internal mitigations or upgrade paths, increasing operational risk. Additionally, self-contained .NET applications deployed in production environments may unknowingly remain vulnerable if not recompiled and redeployed, exposing sensitive data and critical systems to attackers. The vulnerability’s ability to cause remote code execution without authentication or user interaction elevates the threat level, potentially enabling attackers to bypass perimeter defenses and execute sophisticated attacks against European enterprises.

Given the EOL status of the affected ASP.NET versions, the primary mitigation is to upgrade to a supported .NET version that addresses this vulnerability. Organizations should prioritize migrating applications from .NET 6.0 EOL versions to the latest supported releases (e.g., .NET 7 or later) that receive security updates. For self-contained applications, recompilation and redeployment targeting secure versions are essential. In environments where immediate upgrade is not feasible, organizations should implement strict network segmentation and firewall rules to limit exposure of vulnerable services, especially those using HTTP/3. Employ runtime application self-protection (RASP) and web application firewalls (WAF) with custom rules to detect and block suspicious HTTP/3 stream closure patterns. Conduct thorough code reviews and testing to identify and eliminate unsafe memory handling patterns in custom ASP.NET code. Monitor logs and network traffic for anomalous behavior indicative of exploitation attempts. Finally, establish an incident response plan tailored to potential RCE attacks exploiting this vulnerability to minimize damage if an incident occurs.