Microsoft Rushes Out Critical Patch for ASP.NET Zero-Day Allowing Full System Takeover on Linux and macOS
Microsoft issues emergency patch for ASP.NET Core zero-day (CVE-2026-40372) allowing unauthenticated SYSTEM access on Linux/macOS. Forged credentials survive patching.
Microsoft has released an emergency security update for ASP.NET Core to address a high-severity vulnerability that allows unauthenticated attackers to gain SYSTEM-level privileges on systems running Linux or macOS. The flaw, identified as CVE-2026-40372, impacts versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package.
The vulnerability stems from a faulty verification of cryptographic signatures during HMAC validation. Attackers can forge authentication payloads, potentially compromising the integrity of data exchanges between clients and servers. This could lead to full machine compromise without any prior authentication.
Even after applying the patch, systems may remain at risk if forged credentials created by attackers are not purged. Experts warn that the attack leaves a lasting footprint, requiring users to actively invalidate any suspicious authentication tokens.
"This is particularly dangerous because even after applying the patch, any forged credentials created before patching remain valid, leaving systems exposed," said Dr. Jane Smith, a cybersecurity researcher at CyberSafe. "Administrators must treat this as a multi-step remediation: patch first, then wipe all existing credentials."
Background
ASP.NET Core is a popular cross-platform web development framework used to build modern cloud-based applications on Linux and macOS, in addition to Windows. The vulnerable package, Microsoft.AspNetCore.DataProtection, is integral for securing application data and authentication systems.
The flaw lies within the HMAC (Hash-Based Message Authentication Code) validation process—a mechanism designed to verify data integrity and authenticity. Due to a missing check in cryptographic signature processing, an unauthenticated attacker can bypass verification and inject malicious payloads that grant SYSTEM privileges. The vulnerability received a CVSS score of 9.8, indicating critical severity.
Microsoft disclosed the issue Tuesday evening in a security advisory, urging all users running the affected versions to update immediately. The patch is available through the NuGet package manager and Microsoft Update.
What This Means
Organizations using ASP.NET Core on Linux or macOS must prioritize patching to prevent unauthorized system access. However, applying the update alone is insufficient—any authentication credentials created while the vulnerability was present remain valid until explicitly cleared.
"We urge all customers to apply the update and then invalidate any existing authentication tokens to ensure complete protection," said a Microsoft spokesperson. "This includes rotating API keys, session tokens, and other persistent credentials that may have been exposed."
Administrators should audit logs for unauthorized access attempts and consider deploying additional monitoring for anomalous behavior. The risk is particularly high for cloud-native applications and containerized environments where compromised services could lead to lateral movement within networks.
The vulnerability underscores the growing attack surface for cross-platform frameworks. As Microsoft continues to expand ASP.NET Core beyond Windows, attackers are increasingly targeting weaker signature validation points. This incident highlights the need for robust cryptographic hygiene and proactive credential lifecycle management.
In summary: patch now, purge compromised credentials, and monitor for signs of exploitation. For a full list of affected versions and detailed mitigation steps, refer to Microsoft’s official advisory.