Microsoft launched an emergency patch for its ASP.NET Core to repair a high-severity vulnerability that permits unauthenticated attackers to realize SYSTEM privileges on units that use the Net growth framework to run Linux or macOS apps.
The software program maker said Tuesday night that the vulnerability, tracked as CVE-2026-40372, impacts variations 10.0.0 by 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet, a package deal that’s a part of the framework. The vital flaw stems from a defective verification of cryptographic signatures. It may be exploited to permit unauthenticated attackers to forge authentication payloads throughout the HMAC validation course of, which is used to confirm the integrity and authenticity of knowledge exchanged between a shopper and a server.
Beware: Cast credentials survive patching
In the course of the time customers ran a susceptible model of the package deal, they had been left open to an assault that might enable unauthenticated individuals to realize delicate SYSTEM privileges that might enable full compromise of the underlying machine. Even after the vulnerability is patched, units should still be compromised if authentication credentials created by a menace actor aren’t purged.
“If an attacker used cast payloads to authenticate as a privileged consumer throughout the susceptible window, they might have induced the applying to concern legitimately-signed tokens (session refresh, API key, password reset hyperlink, and so forth.) to themselves,” Microsoft mentioned. “These tokens stay legitimate after upgrading to 10.0.7 until the DataProtection key ring is rotated.”
Microsoft describes ASP.NET Core as a “high-performance” internet growth framework for writing .Internet apps that run on Home windows, macOS, Linux, and Docker. The open-source package deal is “designed to permit runtime parts, APIs, compilers, and languages [to] evolve shortly, whereas nonetheless offering a secure and supported platform to maintain apps operating.”
