MUST READ

DDoS wave continues as Mastodon hit after Bluesky incident

 | 

Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers

 | 

Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw

 | 

Critical BRIDGE:BREAK flaws impact Lantronix and Silex Technology converters

 | 

Venezuela energy sector targeted by highly destructive Lotus wiper

 | 

Ransomware negotiator caught secretly assisting BlackCat extortion scheme

 | 

The US NSA is using Anthropic's Claude Mythos despite supply chain risk

 | 

U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog

 | 

Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility

 | 

France’s ANTS ID System website hit by cyberattack, possible data breach

 | 

Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft

 | 

CVE-2023-33538 under attack for a year, but exploitation still unsuccessful

 | 

Third-party AI hack triggers Vercel breach, internal environments accessed

 | 

AI Model Claude Opus turns bugs into exploits for just $2,283

 | 

Cyber attacks fuel surge in cargo theft across logistics industry

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 93

 | 

Security Affairs newsletter Round 573 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware

 | 

Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks

 | 

Microsoft Defender under attack as three zero-days, two of them still unpatched, enable elevated access

 | 

Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw

Pierluigi Paganini April 22, 2026

Microsoft fixed critical ASP.NET Core vulnerability, tracked as CVE-2026-40372 (CVSS score of 9.1), that lets attackers escalate privileges.

Microsoft released out-of-band updates to address a serious ASP.NET Core vulnerability tracked as CVE-2026-40372 (CVSS score of 9.1). Microsoft fixed the flaw in ASP.NET Core version 10.0.7.

An attacker could exploit the flaw to gain SYSTEM-level privileges, access sensitive files, and modify data, but they cannot disrupt system availability.

An anonymous researcher reported the flaw, prompting out-of-band patches to reduce risk and protect affected systems.

“Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.” reads the advisory. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Exploiting this vulnerability could allow an attacker to disclose files and modify data, but the attacker cannot impact the availability of the system.”

According to Microsoft, the exploitation of the flaw in attacks in the wild is currently less likely.

According to Microsoft, a bug in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 caused incorrect HMAC validation, sometimes ignoring the correct hash. This could let attackers forge or decrypt protected data like cookies and antiforgery tokens, possibly impersonating users and getting valid sessions or tokens. Even after upgrading to 10.0.7, old tokens may remain valid unless the key ring is rotated.

“If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves.” states Microsoft. “Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.”

The tech giant states that the exploitation requires three conditions: the app uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (directly or via dependencies like StackExchangeRedis), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ASP.NET Core)

ASP.NET Core Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini April 22, 2026
DDoS wave continues as Mastodon hit after Bluesky incident
Read more
Pierluigi Paganini April 22, 2026
Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

DDoS wave continues as Mastodon hit after Bluesky incident

Cyber Crime / April 22, 2026

Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers

Malware / April 22, 2026

Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw

Security / April 22, 2026

Critical BRIDGE:BREAK flaws impact Lantronix and Silex Technology converters

Hacking / April 22, 2026

Venezuela energy sector targeted by highly destructive Lotus wiper

Malware / April 22, 2026