New Delhi | A serious security threat has sent shockwaves across the tech ecosystem after Microsoft released emergency (out-of-band) security updates to fix a critical vulnerability in its widely used web framework ASP.NET Core. The flaw is considered highly severe, as it could allow unauthenticated attackers to infiltrate systems and escalate privileges to the highest level (SYSTEM access).
The vulnerability, tracked as CVE-2026-40372, was identified in ASP.NET Core’s Data Protection cryptographic mechanism. Technically, the flaw allowed attackers to forge authentication cookies, enabling them to impersonate legitimate users and bypass security checks.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
How the vulnerability worked
According to Microsoft, the issue surfaced after the release of the .NET 10.0.6 update, when multiple users reported decryption failures in their applications. Upon investigation, it was discovered that a flaw in the Data Protection API caused HMAC validation to be computed over incorrect data and, in some cases, ignored entirely.
By exploiting this flaw, attackers could craft malicious payloads that would be mistakenly accepted as valid by the system. This opened the door for:
- Forging authentication cookies
- Accessing antiforgery tokens and session data
- Obtaining password reset links, API keys, and session tokens
The most concerning aspect is that if attackers successfully exploited the vulnerability during the exposure window, any legitimately signed tokens issued to them could remain valid even after the system is patched.
Risk of data exposure and tampering
In its security advisory, Microsoft clarified that attackers could leverage this flaw to access sensitive data, read files, and even modify information within affected systems. While the vulnerability does not impact system availability, it poses a significant risk to data confidentiality and integrity.
Immediate update and key rotation essential
The company has strongly advised all developers and organizations to urgently update the Microsoft.AspNetCore.DataProtection package to version 10.0.7 and redeploy their applications. Additionally, rotating the Data Protection key ring is critical to invalidate any potentially compromised tokens generated before the patch.
Not the first major ASP.NET Core flaw
This is not the first time ASP.NET Core has faced a high-severity security issue. Previously, a critical vulnerability (CVE-2025-55315) in the Kestrel web server allowed attackers to hijack user credentials, bypass frontend security controls, or even crash servers.
Expert warning
Cybersecurity experts warn that such vulnerabilities highlight a broader shift in attack strategies.
A security researcher noted, “Modern attackers are no longer just trying to break into systems—they aim to assume trusted identities and operate from within. Vulnerabilities like this provide exactly that opportunity.”
What organizations should do
- Immediately update .NET and all related packages
- Invalidate all session tokens and authentication cookies
- Rotate Data Protection keys
- Review system logs for suspicious activity
- Implement Zero Trust architecture and Multi-Factor Authentication
Growing cyber threat landscape
This incident once again underscores how even a minor technical flaw in digital infrastructure can open the door to large-scale cyberattacks. For organizations running ASP.NET Core-based applications, this alert is particularly critical.
In an era of rapidly evolving cyber threats, timely patching and robust security practices remain the strongest line of defense.
