Microsoft Warns Forged ASP.NET Core Tokens Stay Valid After Patch Unless Key Ring Rotated

Microsoft recently issued an emergency patch for a high-severity flaw within ASP.NET Core. This vulnerability allowed unauthenticated attackers to obtain SYSTEM privileges on systems running applications built with the framework on Linux and macOS. ASP.NET Core is a high-performance web development framework for building .NET applications across various operating systems.

The flaw, tracked as CVE-2026-40372, impacts Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6. This specific component is responsible for cryptographic operations like data encryption and signature verification within ASP.NET Core applications. The vulnerability stemmed from faulty verification of cryptographic signatures, enabling attackers to forge authentication payloads during the HMAC (Hash-based Message Authentication Code) validation process. HMAC ensures data integrity and authenticity between client and server.

Organizations using vulnerable versions faced a risk where attackers could forge authentication tokens. An attacker exploiting this flaw could induce the application to issue legitimately-signed tokens, such as session refreshes or API keys, to themselves. The crucial warning from Microsoft states that any forged authentication tokens created while the vulnerability was present will remain valid even after upgrading to the patched version, 10.0.7, unless the DataProtection key ring is actively rotated. Without this additional step, attackers could maintain persistent access using previously forged credentials.

### What Defenders Should Do

Organizations must take immediate action beyond simply applying the patch to fully mitigate this threat:

* Apply Patches Immediately: Update all ASP.NET Core DataProtection NuGet packages to version 10.0.7 or later to address CVE-2026-40372. * Rotate DataProtection Key Ring: This is a critical step. Administrators must rotate the DataProtection key ring across all affected deployments. This action invalidates any authentication tokens forged during the vulnerable window, preventing continued unauthorized access. Consult Microsoft documentation for specific instructions on key ring rotation. * Review Logs: Conduct a forensic review of application authentication logs for the period the vulnerable versions were active. Look for unusual or unauthorized login attempts and session creations. * Session Management: Consider invalidating all existing user sessions as an additional precautionary measure following key rotation, prompting users to reauthenticate.

The long-term impact of forged tokens demands immediate attention to prevent prolonged access. Monitoring for anomalous activity and robust key management practices will remain essential going forward.