Microsoft Issues Emergency Patch for Critical ASP.NET Core Flaw Allowing SYSTEM Privilege Escalation via Forged Auth Cookies

Microsoft has pushed an emergency out-of-band security update to address CVE-2026-40372, a critical privilege escalation vulnerability in ASP.NET Core's Data Protection cryptographic APIs that allows unauthenticated attackers to forge authentication cookies and gain SYSTEM-level access on affected systems.

The flaw originated from a regression introduced in the Microsoft.AspNetCore.DataProtection NuGet packages (versions 10.0.0 through 10.0.6). The managed authenticated encryptor was computing its HMAC validation tag over the wrong bytes of the payload and discarding the computed hash in certain cases. This broken validation means an attacker can forge payloads that pass Data Protection's authenticity checks — and decrypt previously protected payloads including auth cookies, antiforgery tokens, TempData, and OIDC state parameters.

The implications extend beyond the initial exploitation window. If an attacker used forged payloads to authenticate as a privileged user while the vulnerability was active, the application may have issued legitimately signed tokens — session refreshes, API keys, password reset links — to the attacker. Those tokens remain valid even after upgrading to version 10.0.7 unless the Data Protection key ring is explicitly rotated.

Microsoft discovered the vulnerability after users reported decryption failures in their applications following installation of the .NET 10.0.6 update released during April's Patch Tuesday. Beyond privilege escalation, the flaw also enables file disclosure and data modification, though Microsoft notes it does not impact system availability.

This is the second critical ASP.NET Core vulnerability requiring urgent attention in recent months. In October 2025, Microsoft patched CVE-2025-55315, an HTTP request smuggling flaw in the Kestrel web server that carried what Microsoft described as the highest severity rating ever assigned to an ASP.NET Core security issue.

Mitigation:

Update the Microsoft.AspNetCore.DataProtection package to version 10.0.7 immediately and redeploy all affected applications. The updated validation routine will automatically reject forged payloads going forward. Critically, rotate the Data Protection key ring after patching — any legitimately signed tokens issued to an attacker during the vulnerable window will remain valid until the key ring is rotated. Audit authentication logs for anomalous privilege escalation or token issuance during the period between .NET 10.0.6 deployment and the 10.0.7 update. Review any password reset links, API keys, or session tokens issued during the exposure window for signs of abuse.