Skip to main content
CybersecurityVulnerability Management

Microsoft Fixes ASP.NET Core Bug That Enables Privilege Escalation

Close-up of laptop screen with code, keyboard in focus, against blurred server room background.

CVE-2026-40372 carries a CVSS score of 9.1 out of 10.0 and prompted an out-of-band update from Microsoft to close a path for privilege escalation in ASP.NET Core.

Microsoft's advisory: the core claim and immediate fix

Microsoft said in a Tuesday advisory that "Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network." The company added: "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges." The flaw is tracked as CVE-2026-40372, carries a CVSS score of 9.1, and is rated Important. An anonymous researcher is credited with the discovery.

Microsoft addressed the issue in ASP.NET Core version 10.0.7 and released out-of-band updates for affected installations.

Exact prerequisites that make an application vulnerable

  • The application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet — either directly or via a dependent package such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis.
  • The NuGet copy of the library was actually loaded at runtime.
  • The application runs on Linux, macOS, or another non-Windows operating system.

Microsoft emphasized all three conditions must be met for successful exploitation.

Technical root cause: an HMAC regression in DataProtection packages

Microsoft's release notes explain the regression: "A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases." In those scenarios, attackers could forge payloads that nevertheless passed DataProtection's authenticity checks.

Because the HMAC was computed over incorrect input and discarded in some cases, previously protected material could be decrypted and forged material accepted as authentic by the application.

What an attacker could do to applications and tokens

Microsoft warned that an attacker exploiting the issue could "disclose files and modify data" and could obtain SYSTEM-level privileges on affected hosts. The advisory spells out the practical effects on web application artifacts: forged payloads could pass authenticity checks and attackers could decrypt previously-protected payloads in authentication cookies, antiforgery tokens, and other protected material.

Microsoft also noted a consequential follow-on: "If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves." Those legitimately-signed tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: Deploy the ASP.NET Core 10.0.7 update where the Microsoft.AspNetCore.DataProtection 10.0.6 NuGet package was used and actually loaded at runtime on non-Windows hosts. After patching, rotate the DataProtection key ring to invalidate any tokens an attacker could have caused to be issued during the vulnerable window.
  • Affected enterprises and procurement leaders: Audit application dependencies for Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6, including transitive dependencies such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis, and confirm runtime usage on Linux or macOS servers. Plan for incident review where legitimately-signed tokens might have been created by an attacker and consider key ring rotation as part of remediation.
  • End users and administrators of services: Be aware that account- and token-related flows (session refreshes, API keys, password reset links) could have been compromised if an attacker authenticated as a privileged user during the vulnerable period; service operators should treat suspicious token activity as high priority.

Bottom line

Microsoft pushed an out-of-band patch to fix a high-severity ASP.NET Core regression that allowed HMAC validation to be bypassed under specific conditions. The immediate technical remedy is upgrade to 10.0.7, but Microsoft’s advisory makes clear that remediation does not automatically revoke legitimately-signed tokens issued during the vulnerable window — key ring rotation is required to do that. The discovery, credited to an anonymous researcher, underscores how a package-level regression and a narrow runtime configuration can produce broadly impactful authentication failures.

Original story