Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

A Critical ASP.NET Core Flaw Exposed: What You Need to Know



Microsoft has released emergency patches for a critical ASP.NET Core vulnerability that could allow attackers to gain SYSTEM privileges on affected devices. The patch addresses a regression in the Microsoft.AspNetCore.DataProtection NuGet package, which causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases. To protect your systems from potential attacks, update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible.

  • Microsoft has released emergency patches for a critical vulnerability in its ASP.NET Core Data Protection cryptographic APIs.
  • A regression in the Microsoft.AspNetCore.DataProtection NuGet package allows unauthenticated attackers to forge authentication cookies and gain SYSTEM privileges on affected devices.
  • The vulnerability can lead to several security concerns, including decryption failures and forging payloads that pass authenticity checks.
  • Successful exploitation of this vulnerability does not result in denial-of-service conditions or crashes, but can enable attackers to disclose files and modify data on affected systems.
  • Microsoft urges customers to update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible and redeploy to fix the validation routine.


    • Microsoft has released emergency patches for a critical vulnerability in its ASP.NET Core Data Protection cryptographic APIs, which could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies. The security flaw, tracked as CVE-2026-40372, was discovered following user reports that decryption was failing in their applications after installing the .NET 10.0.6 update release during this month's Patch Tuesday.

    According to Microsoft's release notes, a regression in the Microsoft.AspNetCore.DataProtection NuGet package causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases. This issue can lead to several security concerns, including the ability for attackers to forge payloads that pass DataProtection's authenticity checks, decrypt previously-protected payloads in authentication cookies, and antiforgery tokens, TempData, OIDC state, etc.

    If an attacker uses forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves. These tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.

    In addition to these concerns, Microsoft warns that this vulnerability can also enable attackers to disclose files and modify data on affected systems without impacting their availability. However, it is essential to note that successful exploitation of this vulnerability does not result in denial-of-service conditions or crashes.

    Senior program manager Rahul Bhandari has urged all customers whose applications use ASP.NET Core Data Protection to update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible and then redeploy to fix the validation routine, ensuring that any forged payloads are rejected automatically. More information regarding affected platforms, packages, and application configuration can be found in the original announcement.

    This is not the first security vulnerability discovered by Microsoft this year. In October, the company patched an HTTP request smuggling bug (CVE-2025-55315) in the Kestrel web server that was flagged with the "highest ever" severity rating for an ASP.NET Core security flaw. Successful exploitation of CVE-2025-55315 enables authenticated attackers to either hijack other users' credentials, bypass front-end security controls, or crash the server.

    Furthermore, Microsoft released another set of out-of-band updates to address issues affecting Windows Server systems after installing the April 2026 security updates.

    The discovery of this critical ASP.NET Core flaw highlights the importance of staying up-to-date with the latest security patches and regularly monitoring for potential vulnerabilities in software applications. It is essential for developers and system administrators to be aware of such flaws and take prompt action to address them before they can be exploited by malicious actors.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-Critical-ASPNET-Core-Flaw-Exposed-What-You-Need-to-Know-ehn.shtml

  • https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-security-updates-for-critical-aspnet-flaw/

  • https://devblogs.microsoft.com/dotnet/dotnet-10-0-7-oob-security-update/

  • https://cyberpress.org/microsoft-releases-emergency-net-10-0-7-update-to-fix/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-40372

  • https://www.cvedetails.com/cve/CVE-2026-40372/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-55315

  • https://www.cvedetails.com/cve/CVE-2025-55315/


    • Published: Wed Apr 22 03:28:41 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us