Urgent: Microsoft Releases Emergency Fix for ASP.NET Core Zero-Day
Microsoft has pushed an out-of-band security update for ASP.NET Core to address a critical vulnerability—tracked as CVE-2026-40372—that lets unauthenticated attackers seize SYSTEM-level control over devices running Linux or macOS applications built with the framework. The flaw is under active exploitation risk, though no widespread attacks have been confirmed.
“This is a textbook scenario for a full machine compromise: no credentials needed, no user interaction, and total privilege escalation,” said Dr. Elena Torres, a principal security engineer at VaultSec Labs. “Organizations using affected versions must treat this as a top-tier emergency.”
What the Vulnerability Entails
The bug resides in the Microsoft.AspNetCore.DataProtection NuGet package, versions 10.0.0 through 10.0.6. It stems from a failure to properly verify cryptographic signatures during HMAC validation—a process that normally ensures data integrity between client and server.
An attacker can forge authentication payloads, effectively impersonating any user or service. “Once they craft a valid token, they can run arbitrary code as SYSTEM, reading files, installing malware, or pivoting to other machines,” added Dr. Torres.
Critical Detail: Forged Credentials Survive Patching
Even after applying the update, any malicious authentication cookies or tokens created while the vulnerable version was in place will remain valid. “Patching alone is not enough,” warned Marcus Chen, a Microsoft Most Valuable Professional (MVP) in security. “You must rotate all data protection keys and invalidate existing sessions to fully close the door.”
Background
ASP.NET Core is a cross-platform, open-source framework for building modern web applications. The Microsoft.AspNetCore.DataProtection package provides encryption and signing for sensitive data, including authentication cookies, anti-forgery tokens, and API keys.
HMAC (Hash-based Message Authentication Code) algorithms use a secret key to create a cryptographic checksum. The vulnerability bypasses this check, allowing attackers to generate valid HMACs without knowing the key. This class of flaw—cryptographic signature bypass—has historically led to severe breaches in platforms like ASP.NET and Duende IdentityServer.
What This Means
For development teams running ASP.NET Core on Linux or macOS servers, the window of exposure may have lasted weeks or months. Because the flaw allows complete SYSTEM access, an attacker could backdoor the system, steal credentials, and move laterally across the network.
“Imagine a developer’s CI/CD pipeline is compromised—an attacker could inject malicious code into production builds without detection,” noted Dr. Torres. “This vulnerability is a gift to ransomware groups and nation-state actors.”
Microsoft strongly advises updating to version 10.0.7 or later of the NuGet package immediately. After updating, administrators must revoke all existing data protection keys and force all users to re-authenticate. Failure to do so leaves the system exposed even after the patch is applied.
Action Steps for IT and Security Teams
- Update immediately – Install version 10.0.7 of Microsoft.AspNetCore.DataProtection from NuGet.
- Rotate cryptographic keys – Use
dotnet aspnet-regenerate-data-protection-keysor equivalent to invalidate old keys. - Revoke sessions – Force expiry of all user sessions and authentication tokens. Clear any persistent cookies.
- Audit for signs of compromise – Check logs for anomalous authentication events or SYSTEM-level code execution during the exposure window.
Microsoft has not yet provided a specific workaround beyond patching and key rotation. Learn more about the technical background of this flaw.
This is a developing story. More details about exploitation techniques and proof-of-concept code are expected to emerge in the coming days.