Microsoft released an emergency patch for its ASP.NET Core framework to fix a high-severity vulnerability that allows unauthenticated attackers to gain SYSTEM privileges on devices that use the Web development framework to run Linux or macOS apps.
The vulnerability, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, a part of the framework.
The critical flaw stems from a faulty verification of cryptographic signatures and can be exploited to allow unauthenticated attackers to forge authentication payloads during the HMAC validation process.
This allows an attacker to gain sensitive SYSTEM privileges that would enable full compromise of the underlying machine. Even after patching, devices may still be compromised if authentication credentials created by a threat actor aren’t purged.
Microsoft advises that if forged payloads were used to authenticate as a privileged user during the vulnerable window, those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.
ASP.NET Core is an open-source web development framework for writing .Net apps that run on Windows, macOS, Linux, and Docker, designed to allow runtime components, APIs, compilers, and languages to evolve quickly while providing a stable and supported platform.