"The vulnerability, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet, a package that's part of the framework."
"During the time users ran a vulnerable version of the package, they were left open to an attack that would allow unauthenticated people to gain sensitive SYSTEM privileges."
"If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens to themselves."
"Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated."
Microsoft issued an emergency patch for ASP.NET Core to address a critical vulnerability, CVE-2026-40372, affecting versions 10.0.0 to 10.0.6. The flaw arises from improper verification of cryptographic signatures, enabling unauthenticated attackers to forge authentication payloads. This vulnerability could lead to unauthorized access to SYSTEM privileges on devices running Linux or macOS apps. Even after patching, compromised devices may retain valid tokens unless the DataProtection key ring is rotated, allowing potential continued exploitation.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]