Microsoft launched an emergency patch for its ASP.NET Core to repair a high-severity vulnerability that enables unauthenticated attackers to realize SYSTEM privileges on gadgets that use the Internet improvement framework to run Linux or macOS apps.
The software program maker mentioned Tuesday night that the vulnerability, tracked as CVE-2026-40372, impacts variations 10.0.0 by means of 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet, a package deal that’s a part of the framework. The important flaw stems from a defective verification of cryptographic signatures. It may be exploited to permit unauthenticated attackers to forge authentication payloads throughout the HMAC validation course of, which is used to confirm the integrity and authenticity of information exchanged between a shopper and a server.
Beware: Solid credentials survive patching
Through the time customers ran a susceptible model of the package deal, they had been left open to an assault that may enable unauthenticated folks to realize delicate SYSTEM privileges that may enable full compromise of the underlying machine. Even after the vulnerability is patched, gadgets should be compromised if authentication credentials created by a risk actor aren’t purged.
“If an attacker used solid payloads to authenticate as a privileged person throughout the susceptible window, they could have induced the appliance to challenge legitimately-signed tokens (session refresh, API key, password reset hyperlink, and many others.) to themselves,” Microsoft mentioned. “These tokens stay legitimate after upgrading to 10.0.7 except the DataProtection key ring is rotated.”
Microsoft describes ASP.NET Core as a “high-performance” internet improvement framework for writing .Web apps that run on Home windows, macOS, Linux, and Docker. The open-source package deal is “designed to permit runtime parts, APIs, compilers, and languages [to] evolve shortly, whereas nonetheless offering a secure and supported platform to maintain apps working.”
