Critical Privilege Escalation in ASP.NET Core (CVE‑2026‑40372) Threatens Microsoft‑Based Web Applications
What It Is – Microsoft disclosed an out‑of‑band fix for a critical flaw in ASP.NET Core that allows an attacker to bypass normal privilege checks and execute code with higher rights on the host server. The issue stems from improper verification of cryptographic operations during token handling.
Exploitability – The vulnerability is rated CVSS 9.1 (Critical) and is classified as Important. No public exploit code has been released, but the severity and ease of exploitation (remote code execution via crafted web requests) make it a high‑risk target for opportunistic attackers.
Affected Products – ASP.NET Core 6.0 – 8.0 runtime and SDK across all Microsoft‑hosted environments (Azure App Service, Azure Kubernetes Service, on‑premises IIS/Windows Server). Any third‑party SaaS that builds on the ASP.NET Core framework is potentially vulnerable.
TPRM Impact –
- Third‑party web services built on ASP.NET Core could be compromised, exposing downstream customers to data leakage or service interruption.
- Supply‑chain risk rises for organizations that rely on Microsoft‑managed platforms or vendors that embed ASP.NET Core components in their products.
Recommended Actions –
- Deploy Microsoft’s out‑of‑band patches for ASP.NET Core immediately on all affected servers.
- Verify patch compliance via automated inventory tools (e.g., SCCM, Azure Policy).
- Conduct a focused penetration test on web applications that use ASP.NET Core to confirm no residual privilege‑escalation paths.
- Review and tighten cryptographic token validation logic in custom code.
- Update third‑party risk registers to flag any suppliers that ship ASP.NET Core‑based solutions.
Source: The Hacker News