Microsoft has issued an emergency update for ASP.NET Core. The vulnerability, tracked as CVE-2026-40372, allows unauthenticated attackers to gain SYSTEM privileges on devices running Linux or macOS applications. Logging this for the record.
The flaw exists within the Microsoft.AspNetCore.DataProtection NuGet package, specifically versions 10.0.0 through 10.0.6. It is a failure of cryptographic signature verification. By forging authentication payloads during the HMAC validation process, an attacker can bypass the front door and assume full control of the underlying machine. Microsoft released the patch out-of-band. In the world of software maintenance, "out-of-band" is the polite way of saying the house is on fire and the scheduled fire drill is too far away.
This is not a theoretical risk. The vulnerability has a CVSS score of 9.1. It targets the very mechanism used to verify the integrity and authenticity of data exchanged between clients and servers. When the integrity check fails, the entire security model of the application collapses.
The fine print, however, is where the actual work begins. Microsoft’s advisory notes that simply applying the update to version 10.0.7 is insufficient for full remediation. This goes in the incident report: even after the patch is installed, any authentication credentials or session tokens created by a threat actor during the "vulnerable window" remain valid.
If an attacker successfully forged a payload before the patch was applied, they may have induced the application to issue legitimately signed tokens to themselves. These tokens—session refreshes, API keys, and password reset links—do not expire just because the code was updated. To truly secure the environment, administrators must manually rotate the DataProtection key ring.
The policy implications are clear. We are seeing a shift in the labor of accountability. Microsoft provides the framework and, in this instance, provided the flaw. They have now provided the patch. But the actual restoration of security—the granular task of invalidating the potential persistence of an attacker—is delegated to the end user. It is a remediation strategy that relies on the user reading the full advisory rather than just clicking "update."
History suggests that many will click the button and ignore the text. The "vulnerable window" closes for the code, but remains open for the credentials. This is how "fixed" vulnerabilities become long-term residency permits for unauthorized actors.
The record will show that a patch is a suggestion of security, not a guarantee of it.
