Microsoft Rushes Patches for Critical ASP.NET Core Privilege Escalation Flaw

/HIGH
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-inteldata-breachmalwarevulnerabilitymicrosofttools
Microsoft Rushes Patches for Critical ASP.NET Core Privilege Escalation Flaw

Microsoft has issued out-of-band updates to address a critical privilege escalation vulnerability (CVE-2026-40372) in ASP.NET Core’s Data Protection APIs. BleepingComputer reports that unauthenticated attackers could exploit this flaw by forging authentication cookies to gain SYSTEM privileges. The vulnerability stems from a regression in specific NuGet package versions where the cryptographic APIs incorrectly compute or discard HMAC validation tags, allowing forged or decrypted payloads.

This flaw enables attackers to bypass authenticity checks and potentially decrypt protected data like authentication cookies, antiforgery tokens, and OIDC state. While the vulnerability does not impact system availability, successful exploitation could allow an attacker to impersonate privileged users and issue their own legitimate tokens, such as session refresh or API keys. Microsoft advises that affected applications should rotate their Data Protection keys even after applying the patch to fully mitigate the risk.

What This Means For You

  • If your organization utilizes ASP.NET Core Data Protection APIs, immediately verify that affected NuGet packages (versions 10.0.0 through 10.0.6) have been updated to 10.0.7 or later. Critically, you must rotate your Data Protection keys to invalidate any potentially forged or compromised tokens issued during the vulnerable window.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1068 Exploitation for Privilege Escalation Privilege Escalation

πŸ›‘οΈ Detection Rules

3 rules Β· 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free β€” export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Exploit ASP.NET Core Data Protection API Forged Cookie

Sigma YAML β€” free preview
βœ“ Sigma Β· Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot β†’

Indicators of Compromise

IDTypeIndicator
ASP.NET-Core-Privilege-Escalation Privilege Escalation ASP.NET Core

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor microsoft.com Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on Microsoft All breaches, IOCs & vendor exposure

Related Posts

Oracle's April CPU: 450 Patches, Over 300 Remote, Unauthenticated Flaws

Oracle has dropped its April Critical Patch Update (CPU), delivering a significant batch of 481 security fixes across 28 product families. Of particular concern are...

threat-intelvulnerabilitycloudtools
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 3 Sigma

Mustang Panda's LOTUSLITE Variant Targets India Banks

The threat actor Mustang Panda has resurfaced with a new variant of its LOTUSLITE backdoor, specifically targeting India's banking sector. According to The Hacker News,...

threat-intelvulnerabilitymalware
/SCW Vulnerability Desk /MEDIUM

Unpatched SharePoint Servers Remain Ripe for Spoofing Attacks

BleepingComputer reports that over 1,300 Microsoft SharePoint servers are still unpatched against a critical spoofing vulnerability. This flaw was initially exploited as a zero-day and...

threat-inteldata-breachmalwarevulnerabilitymicrosoft
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 3 Sigma