Microsoft ASP.NET Core Zero-Day CVE-2026-40372: CVSS 9.1, Patch Rollout Since April 22

7 min read · Published: April 23, 2026

Microsoft published an out-of-band update on April 22, 2026, and confirmed a 9.1 CVSS bug in ASP.NET Core with CVE-2026-40372. The vulnerability allows an unauthenticated attacker to escalate privileges to SYSTEM level by forging authentication cookies. The patch in DataProtection 10.0.7 is available. However, the real risk lies not in the vulnerability itself, but in its proliferation: thousands of enterprise applications run on custom-built servers that lack auto-update capabilities. Security teams now need a well-defined 72-hour plan.

Key Takeaways

Microsoft publicly disclosed CVE-2026-40372 in ASP.NET Core DataProtection 10.0.0 to 10.0.6 on April 22, 2026, and delivered the fix in 10.0.7.
CVSS 9.1, privilege escalation to SYSTEM level, no authentication required, exploitable over the network.
The out-of-band update signals the urgency. Microsoft rarely releases updates of this class outside the regular Patch Tuesday cycle.
Thousands of ASP.NET Core applications run on self-built servers, in container images, or in custom CI pipelines without auto-update.
Security teams need a 72-hour inventory sweep, followed by prioritized patch roll-out and cookie rotation in particularly exposed applications.

What the vulnerability actually does

What is CVE-2026-40372? CVE-2026-40372 is a privilege escalation vulnerability in the ASP.NET Core DataProtection library, published on April 22, 2026, with a CVSS score of 9.1. A regression in versions 10.0.0 to 10.0.6 weakens the cryptographic signature verification. An attacker can bypass validation using an all-zero HMAC and thereby forge authentication cookies and antiforgery tokens. Subsequently, SYSTEM privileges can be achieved on the ASP.NET Core host. Microsoft delivered the fix in version 10.0.7.

The mechanics are well-documented. ASP.NET Core uses DataProtection for cookie encryption and signing. When signature validation accepts an all-zero HMAC, arbitrary cookies can be forged. This opens the door to authentication bypass. Subsequently, an attacker can take over an administrator’s session and execute code with SYSTEM privileges through the ASP.NET Core pipeline. The escalation chain is short, but the damage in production applications is substantial.

The issue lies less in the vulnerability itself than in its proliferation. ASP.NET Core runs in tens of thousands of enterprise applications across industries. Many of these applications were migrated to .NET 10 in the last 24 months without verifying the DataProtection configuration. Container images with .NET 10 runtime are built in CI pipelines and deployed to Kubernetes clusters without an automated patch path. Organizations without an active tracking mechanism for Microsoft out-of-band updates can easily overlook this vulnerability.

9.1 CVSS

Privilege Escalation in ASP.NET Core DataProtection

10.0.7

Patch version, affected versions 10.0.0 to 10.0.6

April 22

Microsoft Out-of-Band Update 2026

Which Application Classes Are Particularly Critical

Three classes of applications deserve special attention. The first is the classic web backend application on .NET 10. Anyone operating a customer-facing web application in a regulated sector, such as online banking, customer self-service portals, or insurance application processes, has a directly exposed attack surface. Here, the patch should be in production within 48 hours, with a documented audit trail.

The second class are internal API gateways and mid-tier services. These applications are not directly accessible from the internet, but once an attacker establishes a foothold in the internal network, the vulnerability escalates quickly. Those without strict network segmentation should treat the patches the same as for internet-exposed applications. The compliance perspective on DORA and NIS2 explains why internal applications in regulated industries must be treated similarly.

The third class are older ASP.NET Core applications that have been migrated to .NET 10 in the last 24 months without the DataProtection configuration being reviewed. These applications are often in maintenance status and are updated less frequently. This is precisely why they become attractive targets. An inventory of migration remnants should run in parallel with the patch rollout.

What Security Operations Should Do Immediately

SBOM search for Microsoft.AspNetCore.DataProtection 10.0.0 to 10.0.6
Container image scan for .NET 10 runtime versions
Patch rollout prioritized by internet exposure
Cookie rotation in applications with prolonged exposure

What Doesn’t Work

Simply relying on “we’re not reachable”
Patch rollout without cookie rotation in exposed apps
Container images without re-build and re-deploy
Depending on Microsoft Patch Tuesday routines because out-of-band updates run separately

A 72-Hour Response Plan for Security Operations

Three days are sufficient for a clean response when Engineering and Security work hand in hand. The following step-by-step logic has proven effective in several banks and insurance companies in the DACH region (Germany, Austria, Switzerland).

Hour 0-12

Inventory. SBOM search, container image scan, consultation with engineering teams. Result: List of all affected ASP.NET Core applications with version numbers and exposure levels.

Hour 12-24

Triage. Which applications are internet-exposed, which are internal, and which are used in regulated processes? Prioritization by risk, determination of patch sequence.

Hour 24-48

Patch rollout for critical applications. Internet-exposed applications first, with cookie rotation. Rebuild and deploy container images, document audit trail.

Hour 48-60

Patch rollout for internal applications. Mid-tier services, API gateways, backend services. Activate SIEM rules for suspicious cookie renewal patterns.

Hour 60-72

Forensic examination. Check logs from the last 30 days for unusual authentication patterns. If findings are discovered, initiate incident chain. Complete reporting to CISO and executive board.

What the Microsoft Patch Gap Reveals for 2026

Microsoft has published more out-of-band updates in the last twelve months than in 2024. This changes the operational expectations for security operations. Those who only track the monthly Patch Tuesday cycle regularly miss critical out-of-band updates. Microsoft Security Response Center bulletins in 2026 should be incorporated into a weekly routine slot, with an escalation path for critical releases.

A second observation deserves attention. ASP.NET Core is a platform with very broad adoption in the DACH (Germany, Austria, Switzerland) market, especially in the finance, insurance, and utilities sectors. The vulnerability affects not a niche component but a central layer. Security leaders who don’t know their organization’s platform coverage have a blind spot during waves like these. A basic platform inventory, updated annually, is worthwhile.

Third: SBOM discipline is the most important operational investment in 2026. Those who have a complete, maintained software bill of materials can respond to such incidents within hours. Organizations without an SBOM spend the first 12 hours finding instead of patching. Providers like Anchore, Snyk, and Sysdig have mature tools in 2026 that automate SBOM generation and CVE matching. The investment pays off with the first critical incident.

How This Response Fits into the Q2 Patch Landscape

CVE-2026-40372 is part of a series. The April 20 CISA-KEV update with eight additional vulnerabilities, the PaperCut reactivation and several smaller patches have kept Security Operations busy throughout 2026. This sequence shows that operational workload is increasing. Teams that could handle two critical CVEs per month in 2024 are now seeing four to six per week in 2026.

Structurally, this requires a different personnel architecture in Security Operations. Those working with the classic three-tier SOC model are falling behind in 2026. Platform engineering visibility, automated patch pipelines, and SBOM-based inventories must become standard equipment. Those who delay this are creating growing friction that will become apparent in the coming quarters.

For executives, the incident creates a concrete reason for action. Asking about patch status at the next board meeting sharpens the focus for CISO and CIO. A second question about SBOM discipline provides a good maturity check. Those who can provide concrete answers to both questions within 30 seconds have functioning security governance. Those who provide vagueness have an identifiable investment need.

Frequently Asked Questions

Which ASP.NET-Core versions are affected?

DataProtection in versions 10.0.0 to 10.0.6. The patch in 10.0.7 has been available since April 22, 2026. Older major versions are not directly affected, but should be checked regardless of lifecycle status.

Is cookie rotation always necessary?

Not necessarily. For applications with short exposure and no signs of exploitation, the patch is sufficient. For internet-exposed applications with longer exposure, cookie rotation is advisable because it cannot be ruled out that cookies have already been compromised.

How do I know if my application is vulnerable?

Through SBOM search for Microsoft.AspNetCore.DataProtection in one of the mentioned versions. Container image scans with Trivy, Grype, or Snyk identify affected packages in image layers. Dev teams can typically provide a status update within a few hours.

How are CISA and BSI responding to the incident?

CISA documented the incident promptly without formal KEV inclusion until April 23. The BSI (Federal Office for Information Security) has published an advance warning. Both agencies recommend immediate patching. Formal KEV (Known Exploited Vulnerabilities) inclusion could follow in the coming days if active exploitation is confirmed.

Which detection rules make sense?

SIEM alerts for unusual cookie renewal patterns, unusual privilege escalation attempts from the ASP.NET-Core process context, and anomalies in authentication logs. EDR hunts for suspicious process spawns from IIS or Kestrel processes complement the detection layer.

How often does Microsoft release out-of-band updates in 2026?

More frequently than in 2024. In the last twelve months, several critical out-of-band updates have been released. A weekly routine review of Microsoft Security Response Center bulletins is the right cadence for 2026.