Microsoft warns ASP.NET Core flaw lets attackers retain SYSTEM access even after emergency patch

Microsoft released an emergency patch for a critical vulnerability in its ASP.NET Core framework, affecting applications running on Linux and macOS. This flaw, identified as CVE-2026-40372, permits unauthenticated attackers to achieve SYSTEM-level access on affected systems.

The vulnerability resides in the Microsoft.AspNetCore.DataProtection NuGet package, specifically versions 10.0.0 through 10.0.6. This component is integral to ASP.NET Core, a high-performance web development framework supporting .Net applications across various operating systems. The flaw stems from improper cryptographic signature verification, allowing attackers to forge authentication payloads.

Exploitation of CVE-2026-40372 grants attackers significant control, potentially leading to full system compromise. A critical concern is the persistence of forged credentials. If an attacker exploited the vulnerability during the vulnerable window, any authentication tokens they created could remain valid even after systems upgrade to version 10.0.7. This means that simply applying the patch does not fully mitigate the risk of ongoing unauthorized access.

### What Defenders Should Do

Organizations using ASP.NET Core on Linux or macOS must immediately update Microsoft.AspNetCore.DataProtection NuGet to version 10.0.7 or higher. Applying the patch is the first step, but it is insufficient for complete remediation if a compromise occurred. Administrators must also rotate the DataProtection key ring for all affected applications. This action invalidates any authentication tokens forged by attackers during the vulnerable period, preventing continued unauthorized access. Examine application logs for unusual activity prior to patching and key rotation.

Organizations must remain vigilant, understanding that patching critical vulnerabilities often requires additional post-patch remediation steps to secure affected systems fully.