Microsoft released an urgent security update Tuesday evening to fix a critical vulnerability in ASP.NET Core that lets unauthenticated attackers gain SYSTEM-level privileges on machines running Linux or macOS applications built with the framework. The flaw, designated CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package.
According to Microsoft's advisory, the vulnerability originates from a faulty cryptographic signature verification step. This allows attackers to forge authentication payloads during the HMAC validation process—a mechanism used to ensure data integrity between clients and servers. The result: unauthenticated code execution with the highest possible privileges, giving attackers full control over the underlying system.
“This is a severe threat because exploitation does not require any user interaction or prior access,” said Sarah Chen, a senior security researcher at CyberSafe Labs. “Once an attacker gains SYSTEM rights, they can install malware, steal data, and pivot to other machines on the network.”
Persistent Threat: Forged Credentials Survive Patching
Even after applying the patch, organizations may remain vulnerable if authentication credentials created by an attacker during the exploitation window are not explicitly revoked. Microsoft warned that attackers could maintain persistence using forged tokens or keys that were generated before the update.
“Patching the software is just the first step,” noted James Rodriguez, a cybersecurity consultant at SecurIT Group. “If any authentication artifacts were compromised, they need to be regenerated or invalidated. Otherwise, the attacker can still access the system as if the vulnerability never existed.”
Background
ASP.NET Core is a cross-platform framework used by developers to build web applications on Windows, Linux, and macOS. The Microsoft.AspNetCore.DataProtection package provides APIs for encrypting and signing data, including cookies and authentication tokens. The flaw exists in how the package verifies HMAC signatures, allowing an attacker to bypass authentication.
Microsoft rates the vulnerability as “Important” but emphasizes it could lead to a full compromise of affected systems. The company released a patch within 24 hours of discovery, but experts warn that many organizations may delay updates due to complexity or lack of awareness.
What This Means
For IT administrators and developers, this means immediate action is required. The patch must be applied to all affected environments running ASP.NET Core applications on Linux or macOS. Additionally, any credentials, tokens, or data protection keys generated while running vulnerable versions should be rotated or regenerated to prevent lingering access.
Key steps to mitigate the risk:
- Update the Microsoft.AspNetCore.DataProtection NuGet package to version 10.0.7 or later.
- Revoke all existing forged credentials by regenerating data protection keys and requiring users to re-authenticate.
- Review logs for signs of exploitation, such as unusual authentication attempts or privilege escalation events.
“The clock is ticking for enterprises that rely on ASP.NET Core for mission-critical services,” Rodriguez added. “Attackers are likely scanning for vulnerable instances right now. Delaying patching could be catastrophic.”
Microsoft did not disclose whether any active exploits have been observed in the wild, but the company urged all users to apply the update as soon as possible. For complete details, refer to the official security advisory.