Date: 16 October 2025
Status: Patch Available - Impact Under Assessment
Severity: Critical
Reference: GitHub Advisory GHSA-5rrx-jjjq-q2r5
Overview
Microsoft has disclosed and patched a critical vulnerability in the ASP.NET Core framework, identified as GHSA-5rrx-jjjq-q2r5 / CVE-2025-55315.
The issue involves a security feature bypass that may lead to HTTP request/response smuggling under certain configurations. The vulnerability resides in Microsoft’s ASP.NET Core runtime - a component widely used across the software industry in .NET-based web applications.
More information about ASP.NET Core: https://dotnet.microsoft.com/en-us/apps/aspnet
The vulnerability was introduced within the Microsoft ASP.NET Core platform itself and is not specific to our products. Raynet assessed the applicability on our products and determined, they may be using the vulnerable component (see Impact on Our Products).
At the time of reporting, the vulnerability has been assigned a score of 9.9/10 (CVSS).
Impact on Our Products
Some of our applications are built on ASP.NET Core runtimes that may fall within the affected versions. We conducted a comprehensive impact analysis to determine whether any of our deployed or distributed systems are running vulnerable runtime versions.
The following products / components can be affected:
- Raynet One (all versions)
- Raynet One Technology Catalog (14.0, 14.1, 2025.3)
- Raynet One Data Hub (14.0, 14.1, 2025.3)
- Raynet One UEM (3.1, 3.2)
The following products are not affected:
- RMSi
- RayPack Studio (RayPack, RayQC, RayQC Advanced, PackBench, RayEval)
- RayFlow
- RaySAMi
- RayVentory Data Hub / Raynet One Data Hub (versions 12.5, 12.6)*
- RayVentory Catalog / Raynet One Technology Catalog (versions 12.5, 12.6)*
* According to official vendor statement, ASP.NET Core frameworks used by Raynet One and RayVentory products, versions 12.5 and 12.6 are not affected by CVE-2025-55315.
Customer Guidance
- Customers managing their own runtime environments (Windows / IIS) with any of affected products are advised to update to the patched versions of ASP.NET Core (8.0.21, 9.0.10, or newer) following Microsoft’s standard update procedures. We also recommend to remove affected versions of frameworks by uninstalling them completely.
- Customers managing their own runtime environments (Docker / Kubernetes) with any of affected products are advised to update to the patched versions of our Docker images, following the product update guide table.
- See table Patch Availability (Windows)
- Customers using Raynet-managed environments do not need to take any action. Raynet will ensure the timely introduction of patched code/images without interrupting service.
- See table Patch Availability (Docker)
- Currently, there is no evidence of exploitation within our environment or customer installations.
Patch Availability (Windows)
Microsoft has released security updates addressing this vulnerability in the following runtime versions:
| Affected Version | Patched Version |
| ASP.NET Core 8.0 ≤ 8.0.20 | 8.0.21 |
| ASP.NET Core 9.0 ≤ 9.0.9 | 9.0.10 |
| ASP.NET Core 10.0 RC1 | 10.0.0-rc.2.25502.107 |
| Kestrel Core ≤ 2.3.0 | 2.3.6 |
All newer versions include the security fix.
IT Administrators should update the ASP.NET Core framework to the newest version, and then restart server instances (IIS Applications). No further steps are required.
According to the official vendor recommendation, previous versions of ASP.NET Core (prior to 8.0) are not affected.
Patch Availability (Docker)
Raynet released updated Docker images, which should replace all previously used. The following table shows the list of affected versions, and the suggested migration paths to rectify the vulnerability.
Raynet One
The newest version available which fixes the vulnerability is 2025.3 Update 2 (version 25.3.3667.63). For customers still using the 1.x product line, we also offer a dedicated Update 5 (version 1.1.3035.65).
| Affected version (Upgrade from) | Patched version (Upgrade to) |
| 1.1 RTM (1.1.2509.13) | 1.1 U5 (1.1.3035.65) |
| 1.1 U1 (1.1.2515.14) | 1.1 U5 (1.1.3035.65) |
| 1.1 U2 (1.1.3019.20) | 1.1 U5 (1.1.3035.65) |
| 1.1 U3 (1.1.3026.23) | 1.1 U5 (1.1.3035.65) |
| 1.1 U4 (1.1.3035.29) | 1.1 U5 (1.1.3035.65) |
| 1.1 U5 (1.1.3035.65) | (already patched) |
| 2025.3 RTM (2025.3.3663.59) | 2025.3 U2 (25.3.3667.63) |
| 2025.3 U1 (2025.3.3667.62) | 2025.3 U2 (25.3.3667.63) |
| 2025.3 U2 (25.3.3667.63) | (already patched) |
Note: Versions prior to 1.1 are not supported anymore.
Raynet One Data Hub
There are four different product lines with separate patches:
- For users staying on 14.0 product line, Update 2 (version 14.0.5957.216) resolves the vulnerability.
-
For users on product line 14.1, two patches are available, due to breaking changes introduced in Update 3.
- Builds earlier than Update 3 should be updated with Hotfix 1 for 14.1 Update 2 (version 14.1.6310.219)
- Newer versions (from Update 3 on) should be updated to Update 5 (version 14.1.6351.217)
- Product line 2025.3 should be updated to Update 1 (25.3.6846.218)
| Affected version (Upgrade from) | Patched version (Upgrade to) |
| 12.5.* | (not affected)* |
| 12.6.* | (not affected)* |
| 14.0 RTM (14.0.5886.125) | 14.0 U2 (14.0.5957.216) |
| 14.0 U1 (14.0.5956.140) | 14.0 U2 (14.0.5957.216) |
| 14.0 U2 (14.0.5957.216) | (already patched) |
| 14.1 RTM (14.1.6289.168) | 14.1 U2 H1 (14.1.6310.219) |
| 14.1 U1 (14.1.6298.172) | 14.1 U2 H1 (14.1.6310.219) |
| 14.1 U2 (14.1.6310.180) | 14.1 U2 H1 (14.1.6310.219) |
| 14.1 U2 H1 (14.1.6310.219) | (already patched) |
| 14.1 U3 (14.1.6331.192) | 14.1 U5 (14.1.6351.217) |
| 14.1 U4 (14.1.6351.198) | 14.1 U5 (14.1.6351.217) |
| 14.1 U5 (14.1.6351.217) | (already patched) |
| 2025.3 RTM (25.3.6846.213) | 2025.3 U1 (25.3.6846.218) |
| 2025.3 U1 (25.3.6846.218) | (already patched) |
Note: Versions prior to 14.0 are not supported anymore.
* According to official vendor statement, ASP.NET Core frameworks used by versions 12.5 and 12.6 are not affected by CVE-2025-55315.
Raynet One Technology Catalog
All versions of Raynet One Technology Catalog should be updated to the newest Hotfix 1 for 2025.3 Update 1 (version 25.3.3871.124)
| Affected version (Upgrade from) | Patched version (Upgrade to) |
| 12.5.* | (not affected)* |
| 12.6.* | (not affected)* |
| 14.0 RTM (14.0.3125.101) | 2025.3 U1 H1 (25.3.3871.124) |
| 14.0 U1 (14.0.3133.102) | 2025.3 U1 H1 (25.3.3871.124) |
| 14.1 RTM (14.1.3447.108) | 2025.3 U1 H1 (25.3.3871.124) |
| 14.1 U1 (14.1.3580.112) | 2025.3 U1 H1 (25.3.3871.124) |
| 2025.2 RTM (2025.2.3768.117) | 2025.3 U1 H1 (25.3.3871.124) |
| 2025.3 RTM (25.3.3861.120) | 2025.3 U1 H1 (25.3.3871.124) |
| 2025.3 U1 (25.3.3871.123) | 2025.3 U1 H1 (25.3.3871.124) |
| 2025.3 U1 H1 (25.3.3871.124) | (patched) |
Note: Versions prior to 14.0 are not supported anymore.
* According to official vendor statement, ASP.NET Core frameworks used by versions 12.5 and 12.6 are not affected by CVE-2025-55315.
Raynet One UEM
All versions of Raynet One UEM should be updated to the newest version 3.2 Update 2 (version 3.2.4222.794)
| Affected version (Upgrade from) | Patched version (Upgrade to) |
| 3.1 RTM (3.1.2965.738) | 3.2 U2 (3.2.4224.795) |
| 3.1 U1 (3.1.2974.741) | 3.2 U2 (3.2.4224.795) |
| 3.1 U2 (3.1.2976.742) | 3.2 U2 (3.2.4224.795) |
| 3.1 U3 (3.1.2984.743) | 3.2 U2 (3.2.4224.795) |
| 3.1 U4 (3.1.2987.745) | 3.2 U2 (3.2.4224.795) |
| 3.1 U5 (3.1.2991.746) | 3.2 U2 (3.2.4224.795) |
| 3.1 U6 (3.1.2995.748) | 3.2 U2 (3.2.4224.795) |
| 3.1 U7 (3.1.2999.752) | 3.2 U2 (3.2.4224.795) |
| 3.1 U8 (3.1.3005.758) | 3.2 U2 (3.2.4224.795) |
| 3.1 U9 (3.1.3007.759) | 3.2 U2 (3.2.4224.795) |
| 3.1 U10 (3.1.3012.762) | 3.2 U2 (3.2.4224.795) |
| 3.1 U11 (3.1.3018.767) | 3.2 U2 (3.2.4224.795) |
| 3.2 RTM (3.2.4027.781) | 3.2 U2 (3.2.4224.795) |
| 3.2 U1 (3.2.4220.788) | 3.2 U2 (3.2.4224.795) |
| 3.2 U2 (3.2.4224.795) | (patched) |
Note: Versions prior to 3.1 are not supported anymore.
Current Actions
-
Remediation Planning
For any confirmed instances, we will apply the patched runtime versions and issue corresponding product updates on Raynet-managed instances (Cloud, SaaS). -
Monitoring
Our SOC continues to monitor for any signs of exploitation attempts or related anomalies. -
Coordination with Microsoft:
We are aligning our mitigation activities with Microsoft’s official guidance and release notes. -
Communication
We will contact customers with their own hosting platforms and advise them on the mitigation strategy.
Contact
Product Security Response Team (PSRT)
cert@raynet.de
History of changes
-
16.10.2025
Initial assessment and first version of this page. -
17.10.2025
Added information about affected products and their newest patches. Updated customer guidance. Based on preliminary information, versions 12.5 and 12.6 of Raynet One Data Hub and Raynet One Technology Catalog are not affected.
Comments