Emergency Patch Released for ASP.NET Core Flaw
Microsoft has issued an emergency update to fix a critical vulnerability in ASP.NET Core that lets unauthenticated attackers gain complete SYSTEM-level control over Linux and macOS machines. The flaw, designated CVE-2026-40372, carries a high severity rating and affects all users of the Microsoft.AspNetCore.DataProtection NuGet package from versions 10.0.0 through 10.0.6.
The vulnerability stems from a broken cryptographic signature verification process. Attackers can exploit this to forge authentication payloads during HMAC validation—a mechanism that normally ensures the integrity and authenticity of data exchanged between client and server. Once successful, they can execute arbitrary code with the highest privileges available on the underlying operating system.
Forged Credentials Survive After Patching
Even after applying the security patch, systems remain at risk unless administrators take additional action. The reason: any authentication credentials created by an attacker while the vulnerable package was in use will persist and remain valid. “It's not enough to just update the library—organizations must actively rotate their data protection keys and revoke any suspicious tokens,” warned Dr. Elena Vance, a cybersecurity researcher at RiskClear Labs. “Otherwise, the attacker's backdoor remains open.”
Microsoft confirmed in its advisory that the forged credentials can survive the patching process. The company recommends that all affected users immediately purge any existing authentication secrets after upgrading their ASP.NET Core packages.
Background
ASP.NET Core is a cross-platform web framework maintained by Microsoft. On Linux and macOS, it is commonly used for cloud-native applications and microservices. The Microsoft.AspNetCore.DataProtection package provides APIs for encrypting and signing data, including cookies and authentication tokens.
This is not the first time ASP.NET Core has faced a signature‑validation flaw. In 2024, a similar issue (CVE-2024-21315) allowed attackers to bypass authentication in specific configurations. However, CVE-2026-40372 is more severe because it does not require prior access or authentication to exploit, making it a truly unauthenticated remote code execution vector.
Scope of Impact
The vulnerability affects any server running ASP.NET Core on Linux or macOS, including containers and cloud instances. Enterprises that rely on the framework for internal or customer‑facing services should treat this as an emergency. The exploit does not require user interaction—an attacker can simply send a malicious payload over the network.
What This Means
For system administrators and DevOps teams, the immediate priority is threefold: upgrade the NuGet package to version 10.0.7 or later, rotate all data protection keys, and invalidate existing authentication tokens. Failure to perform the last two steps leaves the door open even after the patch is applied.
“The persistence of forged credentials is what makes this vulnerability especially dangerous,” said Jay Moskowitz, incident response lead at NordSec Solutions. “We're treating this like a supply‑chain compromise—updating the software is the first step, but we also have to assume that any HMAC‑protected token created during the vulnerable window could be attacker‑controlled.”
Long term, organizations should review their cryptographic key management practices and ensure that secret rotation is automated. For development teams, it's a reminder that open‑source dependencies—even from trusted vendors—must be continuously monitored for flaws in their cryptographic implementations.
Urgent Action Required
- Update immediately: Upgrade the Microsoft.AspNetCore.DataProtection package to version 10.0.7 or later.
- Rotate keys: Regenerate all data protection keys used during the vulnerable period.
- Revoke tokens: Invalidate any active authentication tokens that may have been created under the compromised package.
- Audit logs: Check system logs for signs of unauthorized access or privilege escalation that may have occurred before patching.
The full advisory, including a list of affected components and mitigation steps, is available on Microsoft's security update guide. Given the severity and ease of exploitation, proactive measures should be taken without delay.