Microsoft has issued out of band security updates to address a critical vulnerability in ASP.NET Core that could allow attackers to escalate privileges under specific conditions. The flaw, tracked as CVE 2026 40372, carries a CVSS score of 9.1 out of 10 and has been classified as Important in severity. An anonymous security researcher has been credited with identifying and reporting the issue, which affects cryptographic verification within the ASP.NET Core DataProtection system.
According to Microsoft, the vulnerability stems from improper verification of cryptographic signatures in ASP.NET Core, allowing an unauthorized attacker to elevate privileges over a network. If successfully exploited, the flaw could grant SYSTEM level privileges, giving attackers full control over affected systems. Microsoft also noted that exploitation could enable data disclosure and modification, depending on how the application is deployed. However, successful exploitation requires a specific set of conditions, limiting its exposure to certain environments rather than all ASP.NET Core deployments.
Microsoft outlined three prerequisites that must be met for the vulnerability to be exploitable. First, the application must use Microsoft.AspNetCore.DataProtection version 10.0.6 from NuGet, either directly or through a dependent package such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis. Second, the NuGet version of the library must be actively loaded at runtime, meaning the vulnerable component must be in use during execution. Third, the application must be running on Linux, macOS, or another non Windows operating system. These conditions collectively narrow the attack surface but still leave enterprise environments exposed, particularly cloud native deployments and cross platform services relying on ASP.NET Core for authentication and data handling.
The vulnerability has been resolved in ASP.NET Core version 10.0.7, which addresses the underlying cryptographic issue. Microsoft explained that a regression introduced in Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 caused the managed authenticated encryptor to compute its HMAC validation tag over incorrect portions of the payload. In some cases, the computed hash was then discarded, resulting in inconsistent verification behavior. This flaw could allow attackers to forge payloads that bypass DataProtection authenticity checks, as well as decrypt previously protected data such as authentication cookies, antiforgery tokens, and other sensitive session-related information.
Security researchers highlighted that this behavior could be particularly dangerous in authentication workflows. In scenarios where forged payloads were accepted, an attacker could impersonate privileged users and trigger systems to issue legitimately signed tokens such as session refresh tokens, API keys, or password reset links. Microsoft warned that any such tokens generated during the vulnerable period would remain valid even after upgrading to version 10.0.7 unless the DataProtection key ring is rotated. This introduces an additional remediation step for affected organizations, as patching alone does not fully invalidate previously issued authentication artifacts.
The issue primarily impacts environments using ASP.NET Core DataProtection across non Windows systems, especially where Redis based implementations or distributed authentication mechanisms are in place. The dependency on NuGet package behavior and runtime loading conditions adds complexity to detection and mitigation efforts. Microsoft’s advisory emphasizes that organizations should not only apply the security update but also review their deployment configurations to ensure vulnerable package versions are not retained in production or staging environments.
Security teams are also advised to audit authentication flows, session handling systems, and token issuance mechanisms to determine whether any forged or compromised payloads may have been used during the exposure window. Rotation of cryptographic key material is recommended as part of post patch remediation to ensure that any potentially compromised session artifacts are invalidated. The advisory underscores the importance of monitoring cryptographic implementation regressions in widely used frameworks, particularly those handling authentication and authorization at scale across distributed applications.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
