Microsoft launched an emergency patch for its ASP.NET Core to repair a high-severity vulnerability that enables unauthenticated attackers to realize SYSTEM privileges on gadgets that use the Net growth framework to run Linux or macOS apps.
The software program maker stated Tuesday night that the vulnerability, tracked as CVE-2026-40372, impacts variations 10.0.0 by means of 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet, a bundle that’s a part of the framework. The vital flaw stems from a defective verification of cryptographic signatures. It may be exploited to permit unauthenticated attackers to forge authentication payloads through the HMAC validation course of, which is used to confirm the integrity and authenticity of information exchanged between a consumer and a server.
Beware: Cast credentials survive patching
Throughout the time customers ran a weak model of the bundle, they had been left open to an assault that might permit unauthenticated folks to realize delicate SYSTEM privileges that might permit full compromise of the underlying machine. Even after the vulnerability is patched, gadgets should be compromised if authentication credentials created by a risk actor aren’t purged.
“If an attacker used solid payloads to authenticate as a privileged person through the weak window, they might have induced the applying to concern legitimately-signed tokens (session refresh, API key, password reset hyperlink, and many others.) to themselves,” Microsoft stated. “These tokens stay legitimate after upgrading to 10.0.7 until the DataProtection key ring is rotated.”
Microsoft describes ASP.NET Core as a “high-performance” net growth framework for writing .Web apps that run on Home windows, macOS, Linux, and Docker. The open-source bundle is “designed to permit runtime elements, APIs, compilers, and languages [to] evolve shortly, whereas nonetheless offering a steady and supported platform to maintain apps operating.”
