Microsoft Issues Emergency Patches for Critical ASP.NET Core Vulnerability
AI-generated from multiple sources. Verify before acting on this reporting.
Microsoft released emergency out-of-band security patches Tuesday to address a critical privilege escalation vulnerability in its ASP.NET Core framework. The flaw, designated CVE-2026-40372, allowed unauthenticated attackers to gain SYSTEM-level privileges by forging authentication cookies.
The vulnerability stems from a regression in the Microsoft.AspNetCore.DataProtection library, specifically affecting versions 10.0.0 through 10.0.6 of the NuGet packages. The defect enabled attackers to forge payloads and decrypt previously protected data within authentication cookies and tokens. Successful exploitation could allow remote attackers to execute arbitrary code on affected servers with the highest level of system access.
Microsoft identified the issue and began distributing updates globally at 08:24 UTC on April 22, 2026. The company urged administrators to apply the patches immediately, noting that the vulnerability was actively being exploited in the wild. The update applies to Microsoft services and affected devices worldwide, requiring urgent attention from organizations relying on the impacted versions of the framework.
The flaw represents a significant security risk due to its potential for remote code execution without prior authentication. By manipulating the data protection mechanisms, attackers could bypass standard security controls and gain unauthorized access to sensitive systems. The regression occurred during a recent update cycle, introducing a weakness that compromised the integrity of the authentication process.
Security researchers have highlighted the severity of the issue, emphasizing the need for immediate remediation. The vulnerability affects a wide range of applications built on the ASP.NET Core platform, including enterprise web services and cloud-based applications. Organizations are advised to review their systems for signs of compromise and ensure all instances of the affected libraries are updated to the latest patched versions.
Microsoft has not disclosed the full extent of the exploitation or the number of affected systems. The company is working with security partners to monitor the situation and provide guidance on mitigation strategies. Administrators are encouraged to implement additional security measures, such as network segmentation and enhanced monitoring, while waiting for the patches to be fully deployed.
The incident underscores the importance of rigorous testing during software development cycles to prevent regressions that could introduce critical vulnerabilities. As organizations rush to apply the updates, questions remain about whether any data breaches have already occurred due to the flaw. Microsoft continues to investigate the scope of the issue and will provide further updates as more information becomes available.