Microsoft launched an emergency patch for its ASP.NET Core to repair a high-severity vulnerability that permits unauthenticated attackers to achieve SYSTEM privileges on gadgets that use the Net improvement framework to run Linux or macOS apps.
The software program maker stated Tuesday night that the vulnerability, tracked as CVE-2026-40372, impacts variations 10.0.0 by 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet, a package deal that’s a part of the framework. The crucial flaw stems from a defective verification of cryptographic signatures. It may be exploited to permit unauthenticated attackers to forge authentication payloads in the course of the HMAC validation course of, which is used to confirm the integrity and authenticity of knowledge exchanged between a shopper and a server.
Beware: Cast credentials survive patching
Through the time customers ran a weak model of the package deal, they had been left open to an assault that will permit unauthenticated folks to achieve delicate SYSTEM privileges that will permit full compromise of the underlying machine. Even after the vulnerability is patched, gadgets should still be compromised if authentication credentials created by a menace actor aren’t purged.
