All Products
Document Center

[Vulnerability notice] Padding oracle vulnerability in ASP.NET

Last Updated: May 07, 2018


A publicly disclosed vulnerability in ASP.NET can allow information disclosure. The vulnerability results from improper error handling during the encryption padding validation.

An attacker may exploit this vulnerability to read server-encrypted data, such as the view state. This vulnerability can also be used for data manipulation to decrypt and tamper with server-encrypted data.

Note: Although an attacker cannot exploit this vulnerability to run code or directly elevate their user permissions, the vulnerability can be expolited to generate information that can further compromise the security of the impacted system.

Affected versions

For more information about the affected versions, see the Microsoft official security bulletin MS10-070.


Upgrade Microsoft .NET Framework to the latest version through Windows Update.