Microsoft recently released an out-of-band security update to address a high-severity vulnerability in ASP.NET Core that specifically affects systems running on macOS and Linux. This flaw, designated CVE-2026-40372, could allow an unauthenticated attacker to obtain SYSTEM-level privileges, effectively taking full control of the underlying machine. Understanding the urgency and implications of this patch is crucial for developers and system administrators. Below are ten essential facts you need to know about this critical security issue.
1. The Vulnerability's Code and Severity
The flaw is tracked as CVE-2026-40372 and carries a high-severity rating. Microsoft assigned it a CVSS score of 8.1, indicating that exploitation requires low complexity and no user interaction. It resides in the Microsoft.AspNetCore.DataProtection NuGet package, versions 10.0.0 through 10.0.6. This package is a core component of ASP.NET Core responsible for cryptographic data protection, making the vulnerability especially dangerous for applications that rely on authentication and sensitive data.
2. Root Cause: Faulty Cryptographic Signature Verification
The vulnerability stems from an improper validation of cryptographic signatures during the HMAC (Hash-Based Message Authentication Code) process. HMAC is used to ensure the integrity and authenticity of data exchanged between clients and servers. Because the verification step was flawed, an attacker could forge authentication payloads that would be accepted as legitimate. This bypass effectively allows the attacker to impersonate a valid user or system component without having the proper credentials.
3. Impact: Unauthenticated Attacker Gains SYSTEM Privileges
Exploiting this flaw enables an unauthenticated remote attacker to achieve SYSTEM-level privileges on the affected machine. SYSTEM (or root on Linux/macOS) is the highest level of system access, giving the attacker full control over the operating system, all files, processes, configurations, and connected devices. This means that once exploited, the attacker can install malware, steal data, modify logs, or pivot to other systems within the network—all without any prior authentication.
4. Affected Platforms: macOS and Linux Only
While ASP.NET Core runs on Windows, macOS, and Linux, this particular vulnerability only affects applications hosted on macOS or Linux. Windows-based deployments are not impacted. This selective targeting may be due to differences in how the data protection API interacts with the underlying operating system's key storage or cryptographic APIs. However, attackers can still target cross-platform environments, making it critical for teams using non-Windows servers to prioritize this update.
5. The Patch: An Out-of-Band Emergency Release
Microsoft released this security update outside of its regular Patch Tuesday schedule, signaling the urgency of the fix. Emergency or “out-of-band” patches are typically reserved for vulnerabilities that are either actively exploited in the wild or pose an exceptionally high risk. The update updates the Microsoft.AspNetCore.DataProtection NuGet package to version 10.0.7 or later. Developers should immediately upgrade all projects using the affected package to the latest patched version.
6. Forged Authentication Credentials Persist After Patching
One of the most alarming aspects of CVE-2026-40372 is that simply applying the patch is not enough. If an attacker had already exploited the vulnerability before the update was installed, any forged authentication tokens or credentials they created would remain valid even on a patched system. This is because the patch fixes the validation mechanism going forward, but does not automatically invalidate previously issued tokens. Administrators must actively purge any potentially compromised credentials.
7. Post-Patch Cleanup: Purging Compromised Tokens
To fully remediate the vulnerability, after applying the patch, organizations must regenerate and replace all existing authentication keys, tokens, and session identifiers. This includes any data protection keys used by ASP.NET Core. The process may involve forcing a re-login for all users and invalidating any persistent sessions. Failure to do so leaves the door open for attackers who have already gained access. As mentioned earlier, forged credentials survive patching, so cleanup is a mandatory second step.
8. Who Should Act Immediately
Any organization running ASP.NET Core applications on Linux or macOS servers is at immediate risk. This includes web applications, APIs, microservices, and IoT backends that use the affected package. Developers should check their project files for references to Microsoft.AspNetCore.DataProtection with versions between 10.0.0 and 10.0.6. Even if the application is not internet-facing, internal systems can still be targeted by attackers who have already gained a foothold in the network.
9. How Attackers Can Exploit the Vulnerability
Exploitation does not require any special privileges or user interaction. An attacker would send a specially crafted HTTP request or payload to the vulnerable application. Because the HMAC validation is compromised, the server would accept the forged authentication token as legitimate. From there, the attacker can execute arbitrary code under the context of the SYSTEM account. Common attack vectors include direct network access, phishing victims inside the network, or via compromised dependencies that can send malicious requests.
10. Recommended Immediate Steps
First, update all affected packages to version 10.0.7 or later via NuGet. Second, perform a key rotation: delete all existing data protection keys and generate new ones. Third, force logout of all active sessions and require re-authentication. Fourth, monitor logs for signs of prior exploitation—look for unexpected privileged actions or credential usage. Finally, consider implementing additional monitoring on macOS and Linux servers to detect unauthorized privilege escalations. The emergency patch is the first step, but complete security requires the cleanup described in step seven.
11. Conclusion
CVE-2026-40372 serves as a stark reminder that vulnerabilities in core frameworks can have severe consequences, especially when they affect cross-platform deployments. Microsoft's rapid response underscores the danger, but the onus is on developers and administrators to apply the patch and—critically—to purge any retained forged credentials. By understanding the ten facts outlined above, you can better protect your systems against this high-severity threat and ensure that your ASP.NET Core applications remain secure.