Microsoft has released an out-of-band update to fix an ASP.NET Core vulnerability that could allow attackers to take full control of affected systems.
The flaw enables unauthenticated privilege escalation, increasing risk for enterprises running .NET workloads.
“Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network,” said Microsoft in its advisory.
Inside CVE-2026-40372
The vulnerability, CVE-2026-40372, impacts ASP.NET Core applications that rely on the Data Protection API, a foundational component responsible for securing authentication cookies, antiforgery tokens, and other sensitive application data.
Because this mechanism is central to establishing trust between users and web applications, any weakness in its validation logic can have widespread consequences.
If exploited, attackers could impersonate legitimate users, escalate privileges to SYSTEM level, and gain unauthorized access to sensitive resources across affected environments.
Microsoft confirmed the issue affects Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6, meaning organizations may have unknowingly introduced the vulnerability during this month’s Patch Tuesday updates.
How the Vulnerability Works
The flaw stems from a regression in the cryptographic validation process.
The managed authenticated encryptor incorrectly computes its HMAC validation tag over the wrong portion of the payload and, in some cases, fails to validate it altogether.
This breaks the integrity guarantees that the Data Protection system is designed to enforce, effectively allowing tampered or forged data to be treated as legitimate by the application.
Potential Exploitation Scenarios
As a result, attackers can craft malicious payloads that bypass authenticity checks and are accepted as valid.
This enables a range of attack scenarios, including forging authentication cookies, manipulating antiforgery tokens, and decrypting previously protected data.
Attackers could also trick applications into issuing valid signed tokens — such as session tokens, API keys, or password reset links — that may remain usable after patching unless keys are rotated and tokens invalidated.
Microsoft has released an out-of-band patch to address the issue and, at the time of publication, has not reported evidence of active exploitation in the wild.
How to Reduce ASP.NET Core Risk
Because the flaw affects authentication and token validation processes, organizations should take a comprehensive approach to remediation.
Beyond applying updates, teams should invalidate potentially affected tokens, strengthen authentication controls, and monitor for unusual activity.
- Apply the latest patch and test before deploying to production environments.
- Rotate cryptographic keys and reissue sensitive credentials, including API keys and tokens, to eliminate any potentially compromised artifacts.
- Invalidate existing sessions and enforce reauthentication while shortening token lifetimes to reduce exposure windows.
- Strengthen authentication controls by enforcing phishing-resistant MFA, step-up authentication for sensitive actions, and validating user context such as device or location.
- Monitor and hunt for suspicious activity by analyzing authentication logs, token usage anomalies, and signs of unauthorized privilege escalation.
- Implement defense-in-depth measures such as least privilege access, network segmentation, application-level validation, and WAF protections.
- Test incident response plans and use attack simulation tools with privilege escalation scenarios.
Collectively, these measures help organizations reduce exposure to potential exploitation while strengthening overall resilience against future authentication and privilege escalation threats.
Impact of Core Framework Vulnerabilities
This vulnerability underscores how small changes in cryptographic implementations can introduce meaningful security gaps, particularly when they affect core validation logic.
As organizations continue to rely on frameworks like ASP.NET Core for authentication and data protection, issues in these underlying components can impact multiple applications and services at once, increasing the overall risk surface.
This type of risk reinforces the value of zero trust approaches, where continuous verification and strict access controls help limit the impact of weaknesses in underlying systems.