Microsoft Issues Emergency Patches for Critical ASP

beyondmachines1@infosec.exchange

Microsoft Issues Emergency Patches for Critical ASP.NET Core Cryptographic Flaw

Microsoft released emergency patches for a critical ASP.NET Core vulnerability (CVE-2026-40372) that allows unauthenticated attackers to forge authentication cookies and gain SYSTEM privileges. The flaw primarily affects applications on Linux and macOS using specific versions of the Data Protection NuGet package.

**If you're running ASP.NET Core apps using the Microsoft.AspNetCore.DataProtection NuGet package (versions 10.0.0 through 10.0.6), especially on Linux or macOS, upgrade immediately to version 10.0.7 and redeploy your applications. After updating, rotate the DataProtection key ring to invalidate any forged tokens or sessions that may have been issued during the vulnerable window.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/microsoft-issues-emergency-patches-for-critical-asp-net-core-cryptographic-flaw-0-1-8-4-c/gD2P6Ple2L