Key Findings Microsoft released out-of-band patches for CVE-2026-40372, a critical ASP.NET Core privilege escalation vulnerability with a CVSS score of 9.1 Successful exploitation allows attackers to gain SYSTEM-level privileges and access sensitive files The flaw stems from improper cryptographic signature verification in the DataProtection library versions 10.0.0-10.0.6 Exploitation requires three specific conditions: vulnerable NuGet package in use, runtime loading of the
