Microsoft Issues Emergency Patches for Critical ASP.NET Core Vulnerability

Severity: High (Score: 72.2)

Sources: Gbhackers, Neowin, Cybersecuritynews, Bleepingcomputer, msrc.microsoft.com

Summary

On April 21, 2026, Microsoft released an emergency out-of-band update, .NET 10.0.7, to address a critical privilege escalation vulnerability tracked as CVE-2026-40372. This flaw, found in the ASP.NET Core Data Protection cryptographic APIs, allows unauthenticated attackers to forge authentication cookies, potentially gaining SYSTEM privileges on affected devices. The vulnerability was discovered after users reported decryption failures following the installation of .NET 10.0.6 during Patch Tuesday. Microsoft has emphasized that all non-Windows operating systems using .NET 10.0.6 are impacted, and it is crucial for affected users to update to the latest version immediately. The flaw has a CVSS score of 9.1, indicating a severe risk of exploitation. Organizations are advised to rotate their DataProtection key rings to mitigate risks from previously issued tokens. This incident follows a previous critical vulnerability (CVE-2025-55315) patched in October 2025, highlighting ongoing security challenges in the ASP.NET framework. Key Points: • Microsoft released .NET 10.0.7 to patch CVE-2026-40372, a critical privilege escalation vulnerability. • The flaw allows unauthenticated attackers to forge authentication cookies and gain SYSTEM privileges. • All non-Windows operating systems using .NET 10.0.6 are affected, necessitating immediate updates.

Key Entities

• Data Breach (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2025-55315 (cve)
• CVE-2026-40372 (cve)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-269 - Improper Privilege Management (cwe)
• CWE-287 - Improper Authentication (cwe)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• ASP.NET Core (platform)
• Kestrel (platform)
• Linux (platform)
• MacOS (platform)
• .NET (platform)