Ethical Hacking News
Microsoft has released out-of-band updates to address a critical vulnerability in its ASP.NET Core framework, which could allow attackers to escalate privileges and access sensitive files. The vulnerability has a CVSS score of 9.1, indicating that it is considered highly severe and potentially exploitable. Users are advised to prioritize the installation of the latest ASP.NET Core updates to protect themselves against potential threats.
Microsoft has released out-of-band updates to address a critical vulnerability in its ASP.NET Core framework.The vulnerability allows attackers to escalate privileges and access sensitive files, with a CVSS score of 9.1.The vulnerability requires specific conditions to be met before it can be exploited.Micorsoft has released updates for ASP.NET Core version 10.0.7 to address this vulnerability.Users are advised to prioritize the installation of the latest ASP.NET Core updates and monitor their systems closely for any signs of exploitation.
Microsoft has recently released out-of-band updates to address a critical vulnerability in its ASP.NET Core framework, which could allow attackers to escalate privileges and access sensitive files. The vulnerability, tracked as CVE-2026-40372, has a CVSS score of 9.1, indicating that it is considered highly severe and potentially exploitable.
The vulnerability was discovered by an anonymous researcher who reported it to Microsoft. According to the company's advisory, the flaw in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. This could allow an attacker to gain SYSTEM-level access, disclose files, and modify data, but not disrupt system availability.
The exploit of this vulnerability requires three specific conditions: the application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
Microsoft has released updates for ASP.NET Core version 10.0.7 to address this vulnerability. The company notes that while exploitation of this flaw in attacks in the wild is currently less likely, it emphasizes the importance of applying these patches to protect affected systems.
In addition to releasing out-of-band patches, Microsoft also provided more detailed information about the vulnerability and its impact. According to the advisory, an attacker who successfully exploits this vulnerability could gain SYSTEM privileges. Exploiting this vulnerability could allow an attacker to disclose files and modify data, but the attacker cannot impact the availability of the system.
Furthermore, Microsoft noted that even after upgrading to 10.0.7, old tokens may remain valid unless the DataProtection key ring is rotated. If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.
The tech giant has stated that it takes the security of its software and customers very seriously. The release of these out-of-band patches demonstrates Microsoft's commitment to protecting its users from potential threats and vulnerabilities in its products.
In light of this vulnerability, security experts are advising developers and administrators to prioritize the installation of the latest ASP.NET Core updates and to monitor their systems closely for any signs of exploitation.
As with many software vulnerabilities, the impact of this flaw will depend on how quickly and thoroughly affected systems are patched. While Microsoft's release of out-of-band patches has helped mitigate the risk associated with this vulnerability, it is essential that users remain vigilant and take steps to protect themselves against potential threats.
In conclusion, Microsoft's recent patch for the critical ASP.NET Core privilege escalation flaw highlights the ongoing importance of software updates and security patches in protecting against potential vulnerabilities. As the threat landscape continues to evolve, it is crucial that developers and administrators prioritize their system's security and stay informed about emerging vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/MICROSOFT-Patches-Critical-ASPNET-Core-Privilege-Escalation-Flaw-ehn.shtml
https://securityaffairs.com/191130/security/microsoft-out-of-band-updates-fixed-critical-asp-net-core-privilege-escalation-flaw.html
https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-security-updates-for-critical-aspnet-flaw/
Published: Wed Apr 22 10:57:48 2026 by llama3.2 3B Q4_K_M
