Microsoft Releases Emergency Patch for ASP.NET Core Vulnerability on Linux and macOS – Immediate Action Required
By
<h2>Overview of the Emergency Patch</h2><p>Microsoft has issued an out-of-band security update for ASP.NET Core to address a high-severity vulnerability that could allow unauthenticated attackers to gain full SYSTEM-level access on systems running Linux or macOS. The flaw, identified as <strong>CVE-2026-40372</strong>, resides in the <strong>Microsoft.AspNetCore.DataProtection</strong> NuGet package, a core component of the ASP.NET Core framework used to protect sensitive data such as authentication tokens and cookies.</p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2023/07/exploit-vulnerability-security.jpg" alt="Microsoft Releases Emergency Patch for ASP.NET Core Vulnerability on Linux and macOS – Immediate Action Required" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure><p>The vulnerability affects package versions <strong>10.0.0 through 10.0.6</strong> inclusive. Microsoft released the patch on Tuesday evening, urging all developers and administrators to apply it immediately.</p><h2 id="vulnerability-details">Vulnerability Details</h2><p>The security flaw originates from an <strong>incorrect validation of cryptographic signatures</strong> during the HMAC (Hash-Based Message Authentication Code) validation process. HMAC is a mechanism used to verify both the integrity and authenticity of data exchanged between a client and a server – for example, in authentication cookies or API tokens.</p><p>Under normal circumstances, only the legitimate server can generate valid HMAC signatures. But due to the faulty signature verification, an unauthenticated attacker can craft forged authentication payloads that pass validation. This enables them to impersonate any user, including privileged accounts, and ultimately execute code with SYSTEM privileges – the highest level of access on a Windows machine or equivalent on Linux/macOS.</p><h3>Attack Vector</h3><p>The attack does not require any prior authentication or user interaction. An attacker simply sends a specially crafted request to an application using a vulnerable version of the DataProtection package. The bug can be exploited remotely over the network, making it especially dangerous for internet-facing applications.</p><h2 id="impact-and-risk">Impact and Risk: Full System Compromise</h2><p>If exploited, the vulnerability gives an attacker <strong>complete control</strong> over the underlying machine. This includes the ability to:</p><ul><li>Install malicious programs</li><li>View, modify, or delete data</li><li>Create new accounts with full privileges</li><li>Move laterally within the network</li></ul><p>Because ASP.NET Core is widely used for cross-platform applications, the risk extends to any organization running Linux or macOS servers with the affected package versions.</p><h2 id="credential-warning">Critical Warning: Forged Credentials Survive Patching</h2><p>One of the most alarming aspects of CVE-2026-40372 is that <strong>simply updating the package does not fully remediate existing compromises</strong>. If an attacker exploited the vulnerability before the patch was applied, they may have generated forged authentication credentials that remain valid even after the vulnerable code is replaced.</p><p>These persistent credentials reside in the system's <strong>data protection key ring</strong> – the repository where ASP.NET Core stores cryptographic keys used for generating and validating authentication tickets. Unless the key ring is explicitly purged and new keys are generated, the attacker's tokens continue to work, keeping the backdoor open.</p><p>As Microsoft warned, “Devices may still be compromised if authentication credentials created by a threat actor aren’t purged.” This means that applying the patch is only the first step.</p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2023/07/exploit-vulnerability-security-300x169.jpg" alt="Microsoft Releases Emergency Patch for ASP.NET Core Vulnerability on Linux and macOS – Immediate Action Required" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure><h2 id="mitigation-steps">Mitigation Steps: How to Fully Secure Your Systems</h2><p>To address both the vulnerability and the credential persistence issue, follow these steps:</p><ol><li><strong>Update the NuGet package</strong> to version <strong>10.0.7 or later</strong> (the fixed version released on Tuesday). Use your package manager to update <em>Microsoft.AspNetCore.DataProtection</em> in all affected projects.</li><li><strong>Purge the data protection key ring</strong> to invalidate any potentially forged credentials. This can be done by:<ul><li>Deleting the key ring directory (default location: <code>%LOCALAPPDATA%\ASP.NET\DataProtection-Keys</code> on Windows, <code>~/.aspnet/DataProtection-Keys</code> on Linux/Mac).</li><li>Or, if using a custom key storage (e.g., Azure Key Vault, Redis), replace or invalidate existing keys.</li></ul></li><li><strong>Regenerate and redistribute keys</strong> immediately after purging. Use the <code>dotnet dev-certs https --clean</code> command for development environments, or rely on your key management system for production.</li><li><strong>Audit your systems</strong> for signs of prior exploitation: look for unexpected user accounts, unusual network connections, or suspicious activity logs. Since SYSTEM-level access could have been obtained, assume full compromise if any indicators are found.</li><li><strong>Reissue all authentication tokens</strong> to force users to log in again with newly generated credentials.</li></ol><h2 id="conclusion">Conclusion: Act Now to Prevent Exploitation</h2><p>CVE-2026-40372 is a high-severity vulnerability that bypasses one of the fundamental security mechanisms in ASP.NET Core – cryptographic signature verification. Given the ease of exploitation (no authentication required) and the severe impact (full SYSTEM privileges), this patch should be treated as an emergency.</p><p>Remember: <strong>patching alone is not enough</strong>. You must also take the additional step of purging the data protection key ring to eliminate any pre-existing forged credentials. Delaying either action leaves your systems exposed to complete takeover.</p><p>For more details, refer to the <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372" target="_blank">official Microsoft Security Response Center advisory</a>. For guidance on key management, see the <a href="https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview" target="_blank">ASP.NET Core Data Protection documentation</a>.</p>
Tags: