Microsoft has released an emergency patch for a high-severity vulnerability in ASP.NET Core that could allow unauthenticated attackers to gain SYSTEM privileges on Linux and macOS machines. The flaw, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, a core component of the framework.
“This is a critical issue that requires immediate attention,” said Jane Hammond, a vulnerability researcher at CyberSec Labs. “Attackers can exploit this without any authentication, giving them full control over the underlying system.” The vulnerability originates from a faulty verification of cryptographic signatures, allowing threat actors to forge authentication payloads during the HMAC validation process.
Background
ASP.NET Core is a cross-platform web framework used to build modern applications on Linux, macOS, and Windows. The Microsoft.AspNetCore.DataProtection package provides encryption and signing services for data protection. HMAC (Hash-based Message Authentication Code) is used to verify data integrity and authenticity between client and server.
The flaw means that during the time users ran a vulnerable version, unauthenticated attackers could forge credentials that survive even after the patch is applied. “Patching alone is not enough,” added Hammond. “Any authentication tokens created by an attacker must be systematically purged to prevent lingering backdoor access.”
What This Means
Organizations using affected versions must immediately patch their systems and then rotate or invalidate all existing authentication secrets. Failure to do so could leave machines compromised even after the update. Microsoft strongly recommends regenerating any data protection keys and clearing persistent session tokens created during the vulnerable window.
“This is not a typical bug—it allows long-term compromise if not fully remediated,” said Alex Rivera, a cybersecurity consultant. “Enterprises should treat this as a breach response, not just a patch cycle.” The advisory from Microsoft emphasizes that forged credentials can bypass later fixes, making post-patch cleanup essential.
Action steps for administrators:
- Update to Microsoft.AspNetCore.DataProtection version 10.0.7 or later immediately.
- Revoke all existing data protection keys and generate new ones.
- Force a logout for all users and invalidate any session tokens created before the patch.
The urgency is amplified because the flaw impacts cross-platform deployments, which are often used in containerized environments. “This vulnerability exposes a fundamental gap in cryptographic validation,” noted Rivera. “Every organization using ASP.NET Core on Linux or macOS should treat this as top priority.”
Microsoft has not reported active exploitation but warns that proof-of-concept code could be publicly available soon. The company urges users to apply the patch and follow the post-password cleanup procedures outlined in its security advisory.