CVE‑2026‑40372 — ASP.NET Core Elevation of Privilege Vulnerability

-


 

CVE‑2026‑40372 — ASP.NET Core Elevation of

Privilege Vulnerability

Summary

CVE‑2026‑40372 is a critical elevation‑of‑privilege (EoP) vulnerability in ASP.NET Core’s Data Protection subsystem that allows unauthenticated attackers to forge authentication material and gain SYSTEM‑level or administrative privileges under specific conditions. The issue was disclosed and patched by Microsoft via an out‑of‑band update in April 2026, highlighting its severity and exploit potential. 

Severity & Classification

  • CVSS v3.1 Score: 9.1 (Critical / Important)
  • CWE: CWE‑347 – Improper Verification of Cryptographic Signature
  • Attack Vector: Network (no authentication required)
  • Impact: Authentication bypass, token forgery, privilege escalation

Affected Components

The vulnerability exists in the following packages and versions:

ComponentAffected VersionsFixed Version
Microsoft.AspNetCore.DataProtection10.0.0 – 10.0.610.0.7

When Are You Vulnerable?

You are affected if all of the following apply:

  • Your application references Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 (directly or transitively)
  • The NuGet package version is actually loaded at runtime
  • The application runs on Linux, macOS, or other non‑Windows platforms
  • OR the project consumes the netstandard2.0 / net462 assets from the affected package

Windows deployments using platform‑native cryptography are generally not affected.

Root Cause (What Went Wrong)

A regression in the managed authenticated encryptor caused ASP.NET Core to:

  • Compute the HMAC over incorrect payload bytes
  • In some cases discard the computed hash
  • Improperly accept forged or tampered payloads as valid

As a result, attackers can craft authentication cookies or antiforgery tokens that pass integrity checks without possessing secret keys

Exploitation Impact

If successfully exploited, attackers can:

  • Forge authentication cookies
  • Bypass antiforgery protections
  • Impersonate privileged users
  • Cause the app to issue legitimately signed tokens (API keys, refresh tokens, password reset links)
  • Retain access even after patching, unless keys are rotated

Microsoft explicitly warns that forged tokens remain valid post‑upgrade without additional remediation. 

Patch & Mitigation (Mandatory)

✅ Immediate Actions

  1. Upgrade to Microsoft.AspNetCore.DataProtection 10.0.7
  2. Rebuild & redeploy all affected applications
  3. Rotate the Data Protection key ring
  4. Invalidate existing auth sessions and tokens

Why Key Rotation Matters

Without key rotation, any forged tokens created during the vulnerable window remain trusted, negating the patch’s effectiveness. [github.com]

Detection & Audit Recommendations

  • Review logs for authentication anomalies during the vulnerable period
  • Audit issued tokens (refresh tokens, JWTs, reset links)
  • Identify unexpected elevation events
  • Verify runtime‑loaded assemblies (NuGet vs framework reference)

Enterprise Risk Perspective

This vulnerability is particularly dangerous because it:

  • Breaks a core trust boundary (authentication integrity)
  • Requires no credentials to exploit
  • Hits framework‑level cryptography, affecting many apps simultaneously
  • Remains exploitable after patching without key rotation

Microsoft’s use of an out‑of‑band release strongly indicates a high exploitation risk window. [bleepingcomputer.com], [cambridgea...lytica.org]

References

If you’d like, I can:

  • Help you validate whether a specific app is affected
  • Provide a key‑rotation playbook
  • Map this CVE to MITRE ATT&CK
  • Draft a C‑level or change‑management advisory

Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more