CVE CyberSecurity Database News

CVE-2023-28299 - Visual Studio Spoofing Vulnerability Explained with Exploit Details

Poster -

Visual Studio is a favorite tool for developers everywhere. So, when security researchers found CVE-2023-28299, a spoofing vulnerability in Visual Studio, it sent ripples through the programming world. If you’re a developer, team lead, or just a curious techie, you should absolutely understand what this vulnerability means, how attackers could exploit it, and—of course—how to keep yourself safe.

What Is CVE-2023-28299?

CVE-2023-28299 is a spoofing vulnerability found in Microsoft Visual Studio. In basic terms, “spoofing” is tricking someone or something into thinking information is coming from a trusted source, when it’s actually from a malicious one. In this case, the vulnerability allows an attacker to use specially crafted Visual Studio project files to make malicious code look like it’s coming from a trustworthy project, tricking users into trusting or even running dangerous content.

Official Microsoft advisory:  
➡️ Microsoft Security Update Guide – CVE-2023-28299

Visual Studio 2022 (various versions)

If you use *almost any recent version* of Visual Studio and haven’t updated since mid-2023, you are likely vulnerable.

Crafting a Malicious Project

- The attacker creates a Visual Studio project file (e.g., .csproj, .vbproj) with *manipulated* configurations.

Disguised as Trusted Content

- The project file is disguised to appear as a normal, trustworthy solution—often distributed via email, open-source repositories (like GitHub), or even internal collaboration tools.

Spoofing Project Source

- When the victim opens this project with Visual Studio, the interface and metadata display trusted names, fake authors, or misleading descriptions.

Triggering the Attack

- If Visual Studio’s security features (like Safe Loading) aren’t enabled or are bypassed, malicious code can run in the context of Visual Studio itself—possibly running commands, dropping files, or stealing data.

Example Exploit: A Malicious .csproj File

Here’s a stripped-down code snippet that shows how a Visual Studio project file could be weaponized:

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net6.</TargetFramework>
    <Author>TrustedDevTeam</Author> <!-- Fake trusted author -->
  </PropertyGroup>

  <!-- Malicious target executes during project build -->
  <Target Name="MaliciousAction" AfterTargets="Build">
    <Exec Command="powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command &quot;Start-Process cmd.exe -ArgumentList '/c calc.exe'&quot;" />
  </Target>
</Project>

What’s happening here?

The fake "Author" tag is set to appear trustworthy.

- The project contains a Target that quietly runs calc.exe (the calculator) on build—but an attacker could run *any* command here.

Place backdoors in code to be triggered in shared development environments.

- Bypass existing trust settings, depending on how Visual Studio’s safe load features are configured.

Microsoft patched this rapidly—update your Visual Studio now:

https://visualstudio.microsoft.com/downloads/

Be Cautious with Untrusted Project Files

Don’t open or build project/solution files from unfamiliar sources, even if they *look* familiar or trustworthy.

References and Further Reading

- Microsoft Security Update Guide - CVE-2023-28299
- Microsoft Visual Studio Release Notes
- NIST NVD - CVE-2023-28299 Summary
- Security Research Example: Project File Backdoors (Medium Post) *(Related concept, not specific to CVE-2023-28299)*

Conclusion

CVE-2023-28299 is a real-world proof that even the most trusted developer tools are not immune to clever attacks. As a developer, always keep your tools updated, be careful with files from unfamiliar sources, and understand how even "data" files like project configs can be weaponized.

Timeline

Published on: 04/11/2023 21:15:00 UTC
Last modified on: 04/19/2023 20:30:00 UTC