Microsoft patches ASP.NET Core flaw granting SYSTEM privileges on Linux/macOS

Microsoft has rolled out an emergency security update for its ASP.NET Core framework following the discovery of a high-severity vulnerability that could enable unauthenticated attackers to escalate privileges to SYSTEM level on Linux and macOS systems.

The flaw, tracked under CVE-2026-40372, impacts versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package—a core component used by developers to secure web applications. According to Microsoft’s advisory, the issue arises from improper validation of cryptographic signatures during HMAC operations, which are critical for verifying the integrity and authenticity of data exchanged between servers and clients.

When exploited successfully, the vulnerability allows threat actors to forge authentication tokens, bypassing security controls and gaining unauthorized access with SYSTEM-level permissions. This level of access effectively grants full control over the affected machine, putting sensitive data and system resources at risk.

How the vulnerability works

The root cause of CVE-2026-40372 lies in the way the framework handles HMAC-based signature verification. Normally, HMAC (Hash-based Message Authentication Code) ensures that data hasn’t been tampered with and that it originates from a trusted source. However, due to flawed logic in the cryptographic validation process, attackers can craft malicious payloads that pass validation checks without proper authentication.

This means that even if an application appears to require valid credentials, an attacker could submit a specially crafted token that the system incorrectly accepts as legitimate. Once authenticated under false pretenses, the attacker inherits the privileges associated with the SYSTEM account—typically unrestricted access to the operating system.

Why immediate action is required

Microsoft emphasizes that this is not a theoretical risk. Systems running vulnerable versions of the Microsoft.AspNetCore.DataProtection package are actively exposed to exploitation. The company has confirmed that unauthenticated attackers could leverage the flaw to execute arbitrary code, install malware, or exfiltrate sensitive information—all without triggering standard security alerts.

Even more concerning is the persistence of the threat post-patching. Microsoft warns that any authentication tokens generated while the vulnerability was active may still be valid even after the update is applied. This means administrators must not only install the patch but also rotate all affected credentials and invalidate any tokens that could have been compromised during the exposure window.

Steps developers and admins should take now

If your infrastructure relies on ASP.NET Core applications running on macOS or Linux, follow these critical steps to mitigate exposure:

• Update immediately: Install version 10.0.7 or later of the Microsoft.AspNetCore.DataProtection NuGet package. For .NET 10 SDK users, ensure your project references the patched version.
• Rotate credentials: Revoke and regenerate all authentication tokens, API keys, and session cookies that were in use before the patch was applied.
• Audit logs: Review system logs for signs of unauthorized access or unusual authentication activity during the period when the vulnerable package was deployed.
• Monitor systems: Implement intrusion detection systems or endpoint monitoring tools to detect any anomalous behavior that may indicate exploitation attempts.

Failure to act quickly could leave your systems vulnerable to persistent compromises, even after the technical vulnerability has been addressed.

The bigger picture: Securing ASP.NET Core in 2025

This incident underscores the growing sophistication of attacks targeting development frameworks and the critical role of timely patching in enterprise security strategy. While Microsoft has responded swiftly, the episode highlights a recurring challenge: supply chain vulnerabilities within widely used developer tools often go unnoticed until exploitation occurs.

Organizations must prioritize not only reactive patching but also proactive security measures such as continuous dependency scanning, automated vulnerability detection, and developer security training. As web applications become more interconnected and complex, the cost of overlooking a single component in the stack can be catastrophic.

The race to secure digital infrastructure continues, and frameworks like ASP.NET Core remain prime targets. Staying ahead requires vigilance, rapid response, and a layered defense strategy that protects both code and credentials.