INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Microsoft fixes critical ASP.NET Core privilege escalation flaw
| 2026-04-22 14:00 CRITICAL HIGHExecutive Summary AI-generated
The recent incident data reveals a critical vulnerability in ASP.NET Core, tracked as CVE-2026-40372. This flaw allows attackers to escalate privileges by exploiting the application's authentication mechanism. Microsoft has released out-of-band updates to address this issue, with version 10.0.7 being the most recent fix. The affected software runs on Linux, macOS, and non-Windows operating systems, making it a widespread vulnerability. Affected organizations include DataProtection, which relies on NuGet packages containing vulnerable versions of ASP.NET Core. Microsoft's patch has been widely adopted to prevent further exploitation.
Technical Mitigations AI-generated
* Ensure to use the latest version of Microsoft.AspNetCore.DataProtection (10.0.7 or later) and verify that it is loaded at runtime, as well as on non-Windows operating systems such as Linux or macOS.
* Regularly rotate Data Protection key rings to prevent unauthorized access to protected data like cookies and antiforgery tokens.
* Implement secure authentication practices, including verifying the cryptographic signature in ASP.NET Core before allowing an attacker to elevate privileges over a network.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-40372CVE-2026-40372
Target & Sectors
Global Scope
Incident Timeline
Apr 22, 2026
Threat actors exploited a previously unknown critical vulnerability in Microsoft's ASP.NET Core software to gain unauthorized access.
2026/04/22
Microsoft released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges.
Click on any entity below to view its context and source!
organisation
Microsoft
Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug.
Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw.
infrastructure
9.1
Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw
Microsoft fixed critical ASP.NET Core vulnerability, tracked as CVE-2026-40372 (CVSS score of 9.1), that lets attackers escalate privileges.
Microsoft released out-of-band updates to address a serious ASP.NET Core vulnerability tracked as CVE-2026-40372 (CVSS score of 9.1).
organisation
CVSS
The vulnerability, tracked as
CVE-2026-40372
, carries a CVSS score of 9.1 out of 10.0.
infrastructure
Linux
The application runs on Linux, macOS, or another non-Windows operating system.
DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
infrastructure
Macos
The application runs on Linux, macOS, or another non-Windows operating system.
DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
infrastructure
Windows
The application runs on Linux, macOS, or another non-Windows operating system.
DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
organisation
NuGet
DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
DataProtection 10.0.6 from NuGet (either directly or through a package that depends on it, such as Microsoft.
infrastructure
10.0.6
DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
infrastructure
10.0.7
The vulnerability has been addressed by Microsoft in
ASP.NET Core version 10.0.7
.
Microsoft fixed the flaw in
ASP.NET Core version 10.0.7
.
infrastructure
10.0.0-10
DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft
explained
in its release notes.
infrastructure
0.6
DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft
explained
in its release notes.
organisation
HMAC
DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft
explained
in its release notes.
DataProtection 10.0.0–10.0.6 caused incorrect HMAC validation, sometimes ignoring the correct hash.
organisation
Vulnerability / Cryptography
Ravie Lakshmanan
Apr 22, 2026
Vulnerability / Cryptography
Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges.
organisation
DataProtection
DataProtection.StackExchangeRedis).
“Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.”
organisation
API
"If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves," it added.
“If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves.”
states Microsoft
.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, ASP.NET Core)
Tactical Metrics
Metrics
infrastructure
Linux
Affected Product
Click for context!
The application runs on Linux, macOS, or another non-Windows operating system.
DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
Metrics
infrastructure
Macos
Affected Product
The application runs on Linux, macOS, or another non-Windows operating system.
DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
Metrics
infrastructure
Windows
Affected Product
The application runs on Linux, macOS, or another non-Windows operating system.
DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
Metrics
infrastructure
10.0.7
Software Version
The vulnerability has been addressed by Microsoft in
ASP.NET Core version 10.0.7
.
Microsoft fixed the flaw in
ASP.NET Core version 10.0.7
.
Metrics
infrastructure
10.0.0-10
Software Version
DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft
explained
in its release notes.
Metrics
infrastructure
0.6
Software Version
DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft
explained
in its release notes.
Metrics
infrastructure
9.1
Software Version
Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw
Microsoft fixed critical ASP.NET Core vulnerability, tracked as CVE-2026-40372 (CVSS score of 9.1), that lets attackers escalate privileges.
Microsoft released out-of-band updates to address a serious ASP.NET Core vulnerability tracked as CVE-2026-40372 (CVSS score of 9.1).
Metrics
infrastructure
10.0.6
Software Version
DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.
Intelligence Sources
The Hacker News
2026-04-22
Security Affairs
2026-04-22
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:12
Comprehensive Tactical Telemetry
Highly Correlated Entities
8x
organisation
Identified Entity
Microsoft
entity
5x
infrastructure
Software Version
10.0.7
version
3x
infrastructure
Affected Product
Linux
software
2x
timeline
Temporal Reference
Apr 22, 2026
date
Contextual Telemetry
Context Block
4 METRICS
tactic
Cyber Operation Type
Privilege Escalation
tactic
vulnerability
Exploited CVE
CVE-2026-40372
cve
vulnerability
CVSS Score
9
score
general metric
Apr
22
apr
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.