Key Findings

• Microsoft released out-of-band patches for CVE-2026-40372, a critical ASP.NET Core privilege escalation vulnerability with a CVSS score of 9.1

• Successful exploitation allows attackers to gain SYSTEM-level privileges and access sensitive files

• The flaw stems from improper cryptographic signature verification in the DataProtection library versions 10.0.0-10.0.6

• Exploitation requires three specific conditions: vulnerable NuGet package in use, runtime loading of the package, and application running on non-Windows operating systems

• Microsoft addressed the vulnerability in ASP.NET Core version 10.0.7

• An anonymous researcher discovered and reported the flaw

Background

Microsoft identified a regression in its Microsoft.AspNetCore.DataProtection NuGet packages that introduced a serious security gap. The vulnerability allows attackers to escalate privileges over a network by bypassing authentication mechanisms that are fundamental to web application security. The tech giant released updates on an expedited timeline to minimize exposure and reduce the risk window for affected deployments.

Vulnerability Details

The core issue involves improper verification of cryptographic signatures in ASP.NET Core. A bug in the managed authenticated encryptor causes it to compute HMAC validation tags over incorrect bytes of the payload and sometimes discard the computed hash entirely. This regression specifically affects versions 10.0.0 through 10.0.6 of the DataProtection library.

Because the HMAC validation is compromised, attackers can forge payloads that pass DataProtection's authenticity checks. They can also decrypt previously-protected payloads stored in authentication cookies and antiforgery tokens, effectively bypassing security controls designed to prevent unauthorized access.

Exploitation Conditions

Three prerequisites must be met for successful exploitation. First, the vulnerable application must use Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet, either directly or through dependent packages like Microsoft.AspNetCore.DataProtection.StackExchangeRedis. Second, the NuGet copy of the library must actually be loaded at runtime. Third, the application must run on a non-Windows operating system such as Linux or macOS.

This conditional nature of the vulnerability explains why not all ASP.NET Core deployments are equally at risk, though organizations using cloud-hosted applications on Linux servers should prioritize immediate patching.

Attack Scenarios

If an attacker successfully exploited the vulnerability during the vulnerable window, they could forge authentication payloads to impersonate privileged users. Microsoft notes that attackers could induce vulnerable applications to issue legitimately-signed tokens to themselves, including session refresh tokens, API keys, and password reset links.

The danger extends beyond the patching window. Tokens obtained during exploitation remain valid after upgrading to version 10.0.7 unless the DataProtection key ring is manually rotated. This means organizations need to consider whether key rotation is necessary based on their security posture and potential exposure.

Impact Assessment

While the vulnerability is rated as Important rather than Critical, the potential for SYSTEM-level privilege escalation makes it a serious concern. Attackers can disclose sensitive files and modify data, though they cannot impact system availability. Currently, Microsoft indicates that exploitation in active attacks remains less likely, suggesting the vulnerability has not yet been weaponized at scale.

Remediation

Organizations should update to ASP.NET Core version 10.0.7 immediately. Beyond patching, administrators should evaluate whether to rotate the DataProtection key ring, particularly if the application may have been exposed during the vulnerable period. This additional step ensures that any tokens obtained through exploitation become invalid post-upgrade.

Sources

• https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html

• https://securityaffairs.com/191130/security/microsoft-out-of-band-updates-fixed-critical-asp-net-core-privilege-escalation-flaw.html