Microsoft patches critical ASP.NET Core privilege escalation vulnerability

Microsoft has released out-of-band security updates to address a critical privilege escalation vulnerability in ASP.NET Core. The flaw, tracked as CVE-2026-40372, affects the ASP.NET Core Data Protection cryptographic APIs and could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies, as reported by Bleeping Computer.

The vulnerability stems from a regression in specific versions of the Microsoft.AspNetCore.DataProtection NuGet packages. This regression causes the managed authenticated encryptor to incorrectly compute HMAC validation tags, potentially allowing attackers to forge payloads that bypass DataProtection's authenticity checks. Successful exploitation could enable attackers to decrypt protected payloads in authentication cookies, antiforgery tokens, and other sensitive data.

While the vulnerability does not impact system availability, it could allow attackers to disclose files, modify data, and potentially issue legitimately-signed tokens to themselves if they authenticate as a privileged user during the vulnerable window. Microsoft advises updating the Microsoft.AspNetCore.DataProtection package to version 10.0.7 and redeploying applications.

Source: Bleeping Computer