# Microsoft Patches Critical Privilege Escalation Flaw in ASP.NET Core (CVE-2026-40372)


## The Threat


Microsoft has released an out-of-band security patch addressing a critical privilege escalation vulnerability in ASP.NET Core that could allow attackers to gain elevated permissions on affected systems. The flaw, tracked as CVE-2026-40372, stems from improper verification of cryptographic signatures in the framework's authentication pipeline, potentially enabling unauthorized access to sensitive functionality.


The vulnerability affects the core authentication mechanisms that ASP.NET Core applications rely on to verify user identity and permissions. When exploited, an attacker could bypass established privilege checks and escalate their access level—potentially moving from an unprivileged user account to administrative control. This type of vulnerability is particularly dangerous in multi-tenant environments, cloud deployments, and applications handling sensitive data or financial transactions.


The attack requires relatively low complexity and no prior authentication context in many scenarios, making it a high-priority concern for organizations running ASP.NET Core in production. An anonymous security researcher discovered and responsibly disclosed the flaw, prompting Microsoft to accelerate its patching timeline beyond the regular monthly update cycle.


## Severity and Impact


| Attribute | Details |

|-----------|---------|

| CVE ID | CVE-2026-40372 |

| CVSS Score | 9.1 (Critical) |

| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |

| Attack Vector | Network |

| Attack Complexity | Low |

| Authentication Required | None |

| User Interaction | None |

| CWE | CWE-347 (Improper Verification of Cryptographic Signature) |

| Microsoft Severity Rating | Important |


A CVSS score of 9.1 indicates this vulnerability poses an immediate and serious risk to enterprise environments. The attack vector is network-based, meaning exploitation can occur remotely without requiring local access. The low attack complexity and absence of authentication requirements significantly lower the barrier to exploitation, allowing even unsophisticated attackers to potentially compromise systems.


## Affected Products


The vulnerability impacts the following ASP.NET Core versions:


  • ASP.NET Core 6.0 (all versions prior to 6.0.20)
  • ASP.NET Core 7.0 (all versions prior to 7.0.10)
  • ASP.NET Core 8.0 (all versions prior to 8.0.2)
  • .NET 6.0 (Runtime and SDK versions prior to 6.0.20)
  • .NET 7.0 (Runtime and SDK versions prior to 7.0.10)
  • .NET 8.0 (Runtime and SDK versions prior to 8.0.2)

    • Any application built on these .NET versions is potentially vulnerable if it uses the authentication subsystems affected by this privilege escalation flaw. Organizations should verify their deployment manifests and dependency tracking to identify all instances of these versions across their infrastructure.


    ## Mitigations


    Immediate Actions:


    1. Apply Security Updates: Download and deploy the latest security patches for your ASP.NET Core and .NET runtime versions immediately. Microsoft has released:

    - ASP.NET Core 6.0.20 or later

    - ASP.NET Core 7.0.10 or later

    - ASP.NET Core 8.0.2 or later


    2. Prioritize Production Deployments: Focus your patching effort on production systems and internet-facing applications first. Test patches in a staging environment before rolling them out to minimize disruption.


    3. Review Access Control Logs: Examine authentication and authorization logs from the past 30 days for anomalous privilege escalation attempts or unusual account activity that may indicate exploitation.


    Network-Level Defenses:


  • Implement network segmentation to limit lateral movement if a system is compromised
  • Deploy Web Application Firewalls (WAF) configured to monitor for suspicious authentication patterns
  • Enable comprehensive logging on all ASP.NET Core applications and forward logs to a centralized SIEM for analysis

    • Operational Best Practices:


  • Audit all user accounts with elevated privileges and ensure they're still necessary
  • Enforce multi-factor authentication (MFA) on all administrative accounts and sensitive services
  • Conduct a review of recent application deployments to identify which versions are currently running
  • Enable runtime security monitoring to detect privilege escalation attempts in real-time

    • For Development Teams:


  • Update CI/CD pipelines to build containers and deployments with patched runtime versions
  • Review any custom authentication or authorization extensions for similar cryptographic verification issues
  • Test applications thoroughly after applying patches to ensure functionality remains intact

    • ## References


  • [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372)
  • [ASP.NET Core Release Notes](https://dotnet.microsoft.com/en-us/download/dotnet)
  • [National Vulnerability Database - CVE-2026-40372](https://nvd.nist.gov/vuln/detail/CVE-2026-40372)

    • ---


    Bottom Line: This is a high-severity vulnerability requiring immediate attention. Organizations running ASP.NET Core in production should treat patching as urgent. The combination of remote exploitability, low attack complexity, and lack of authentication requirements makes this a natural target for widespread attacks. Delay in patching could expose systems to privilege escalation and unauthorized access.