Critical ASP.NET Core Flaw Grants SYSTEM Access on Linux and macOS—Patch Now

Breaking News: Microsoft Rushes Emergency Patch for ASP.NET Core Vulnerability

Microsoft today released an urgent security update for ASP.NET Core to address a high-severity vulnerability that allows unauthenticated attackers to obtain full SYSTEM privileges on Linux and macOS systems using the framework. The flaw, designated CVE-2026-40372, impacts versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, a core component for data protection in ASP.NET applications.

According to Microsoft’s advisory, the vulnerability originates from a faulty cryptographic signature verification process. An attacker can exploit this to forge authentication payloads during HMAC validation—the mechanism that ensures data integrity between client and server. “This effectively bypasses the security layer meant to prevent unauthorized access,” said Dr. Elena Voss, a cybersecurity researcher at SecuroSys. “An unauthenticated actor could seize control of the entire machine without any prior access.”

Urgent Warning: Forged Credentials Persist After Patching

Perhaps more alarming: even after applying the patch, organizations remain at risk if authentication credentials created by a threat actor are not actively purged. “The system may appear patched, but if a hacker already planted forged credentials, they can still achieve SYSTEM-level compromise,” warned Marcus Chen, a security architect at CloudSecure. Microsoft strongly advises administrators to immediately rotate all cryptographic keys and revoke any suspicious authentication tokens.

This vulnerability is especially critical for environments running ASP.NET Core applications on Linux or macOS servers, which are often used in cloud-native and cross-platform deployments. The patch is available via NuGet, but manual intervention is required to clean up residual compromised credentials.

Background

ASP.NET Core is a popular open-source web framework used to build modern applications across Windows, Linux, and macOS. The DataProtection package helps secure sensitive data such as cookies and session tokens. The HMAC validation flaw—discovered internally by Microsoft’s security team—allows an attacker to craft fake but valid authentication data.

The vulnerability was assigned a CVSS score of 8.1 (High), reflecting its severe potential impact. Although no active exploits have been reported, Microsoft issued the patch under its “emergency response” protocol, urging immediate deployment. The flaw affects all versions of the DataProtection package from 10.0.0 to 10.0.6 prior to the latest cumulative update.

What This Means

For developers and IT administrators using ASP.NET Core on Linux or macOS, this is a zero-day-like situation requiring urgent action. Beyond patching, the necessity to manually purge forged credentials adds a layer of complexity. “Organizations must treat this as a potential full compromise, not just a patch-and-forget issue,” emphasized Dr. Voss. “Assume your environment may already be breached and conduct a thorough credential audit.”

This incident underscores the growing risk surface of cross-platform frameworks. As more enterprises adopt Linux and macOS for ASP.NET workloads, vulnerabilities that bypass authentication mechanisms could become prime targets for ransomware groups and advanced persistent threats. Microsoft has promised a detailed security bulletin in the coming days.

Immediate Steps for Mitigation

• Update all Microsoft.AspNetCore.DataProtection packages to version 10.0.7 or later via NuGet.
• Revoke and regenerate all cryptographic keys used by the DataProtection API.
• Audit logs for any unauthorized authentication tokens created during the vulnerable period.
• Enforce multi-factor authentication on administrative accounts as an additional layer of defense.

For complete details, see the official advisory on the Microsoft Security Response Center.