CVE-2023-32571

CRITICAL LAB

System.Linq.Dynamic.Core 1.0.7.10-1.2.25 - Remote Code Execution via Untrusted Input Parsing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-32571. PoCs published by Tris0n, SecTex, vert16x.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2023-32571, demonstrating a Dynamic LINQ injection vulnerability that leads to remote code execution (RCE) by invoking C# methods through reflection. The exploit leverages the `System.Diagnostics.Process.Start` method to execute arbitrary commands on the target system.

Description

Dynamic Linq 1.0.7.10 through 1.2.25 before 1.3.0 allows attackers to execute arbitrary code and commands when untrusted input to methods including Where, Select, OrderBy is parsed.

Exploits (3)

nomisec WORKING POC 8 stars
by Tris0n · poc
https://github.com/Tris0n/CVE-2023-32571-POC

This repository contains a proof-of-concept exploit for CVE-2023-32571, demonstrating a Dynamic LINQ injection vulnerability that leads to remote code execution (RCE) by invoking C# methods through reflection. The exploit leverages the `System.Diagnostics.Process.Start` method to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Applications using System.Linq.Dynamic.Core
No auth needed
Prerequisites: Target application must be using System.Linq.Dynamic.Core with user-controlled input in LINQ queries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by SecTex · poc
https://github.com/SecTex/CVE-2023-32571

This repository contains a functional proof-of-concept exploit for CVE-2023-32571, leveraging a vulnerability in System.Linq.Dynamic.Core to achieve remote code execution via dynamic LINQ expression parsing. The exploit supports two modes: AssemblyLoad (for loading arbitrary .NET assemblies) and ProcessStart (for executing system commands).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: System.Linq.Dynamic.Core (1.0.7.10 to 1.2.25)
No auth needed
Prerequisites: Target application using vulnerable System.Linq.Dynamic.Core · .NET 9.0 SDK or later
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by vert16x · poc
https://github.com/vert16x/CVE-2023-32571-POC

This repository contains a proof-of-concept exploit for CVE-2023-32571, demonstrating a Dynamic LINQ injection vulnerability that leads to remote code execution (RCE) by invoking C# methods through reflection. The exploit leverages the `System.Diagnostics.Process.Start` method to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Applications using Dynamic LINQ (System.Linq.Dynamic.Core)
No auth needed
Prerequisites: Target application must use Dynamic LINQ with user-controlled input in query expressions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.7691
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull mcr.microsoft.com/dotnet/sdk:7.0
docker pull mcr.microsoft.com/dotnet/aspnet:7.0

Details

CWE
CWE-697
Status published
Products (2)
dynamic-linq/linq 1.0.7.10 - 1.2.25
nuget/System.Linq.Dynamic.Core 1.0.7.10 - 1.3.0NuGet
Published Jun 22, 2023
Tracked Since Feb 18, 2026