Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug
嗯，用户让我帮忙总结一下这篇文章的内容，控制在一百个字以内，而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写文章描述即可。首先，我需要通读整篇文章，抓住主要信息。文章讲的是微软发布了针对ASP.NET Core的一个安全漏洞的紧急更新。这个漏洞的CVE编号是CVE-2026-40372，CVSS评分9.1，属于重要级别。匿名研究人员发现了这个漏洞。微软在周二的公告中提到，这个漏洞是因为加密签名验证不当，导致攻击者可以提升权限到SYSTEM级别。攻击者可能利用这个漏洞来泄露文件和修改数据，但成功利用需要三个前提条件：应用使用了特定版本的NuGet包、该库在运行时加载、以及应用运行在非Windows系统上。微软已经通过升级到10.0.7版本修复了这个问题。问题出在DataProtection库的一个回归错误，导致HMAC验证错误，并且在某些情况下丢弃了计算的哈希值。攻击者可以伪造有效载荷通过验证，并解密受保护的数据。总结的时候要包括：微软发布紧急更新、修复ASP.NET Core漏洞、CVSS评分9.1、攻击者可提升权限、修复版本为10.0.7以及影响范围等关键点。现在把这些信息浓缩到一百字以内，确保不遗漏重要细节。 </think> 微软发布紧急更新修复ASP.NET Core漏洞（CVE-2026-40372），CVSS评分9.1，可被攻击者利用提升权限至SYSTEM级别。该漏洞影响使用特定NuGet包且在非Windows系统上运行的应用。已通过升级至10.0.7版本修复。 2026-4-22 09:29:0 Author: thehackernews.com(查看原文) 阅读量:17 收藏

Vulnerability / Cryptography

Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges.

The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw.

"Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network," Microsoft said in a Tuesday advisory. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges."

The tech giant said an attacker could abuse the vulnerability to disclose files and modify data, but emphasized that successful exploitation hinges on three prerequisites -

The application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (either directly or through a package that depends on it, such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis).
The NuGet copy of the library was actually loaded at runtime.
The application runs on Linux, macOS, or another non-Windows operating system.

The vulnerability has been addressed by Microsoft in ASP.NET Core version 10.0.7.

"A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft explained in its release notes.

In such scenarios, an attacker could forge payloads that pass DataProtection's authenticity checks, as wellas decrypt previously-protected payloads in authentication cookies, antiforgery tokens, and others.

"If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves," it added. "Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

文章来源: https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html
如有侵权请联系:admin#unsafe.sh