Microsoft has deployed out-of-band security updates to address a critical vulnerability affecting ASP.NET Core that could enable attackers to escalate privileges on vulnerable systems. The flaw, designated CVE-2026-40372, presents a significant threat to organizations running affected versions of the framework.
The vulnerability carries a CVSS severity score of 9.1 out of 10.0, placing it in the Important severity category. The issue stems from improper verification of cryptographic signatures within the framework, creating a pathway for unauthorized privilege elevation. An anonymous security researcher discovered and reported the vulnerability to Microsoft through the company's responsible disclosure process.
ASP.NET Core is widely deployed across enterprise environments, making this patch a priority for system administrators and development teams. The out-of-band release indicates Microsoft's recognition of the threat level and urgency surrounding the flaw. Organizations using ASP.NET Core should prioritize applying these updates to their infrastructure without delay.
Privilege escalation vulnerabilities are particularly concerning as they allow attackers to gain elevated access to systems and applications. Once an attacker achieves higher-level permissions, they can potentially access sensitive data, modify system configurations, or deploy additional malware. The cryptographic verification issue means that existing security controls may be bypassed under certain attack conditions.
Microsoft has provided detailed guidance on which versions of ASP.NET Core require patching, along with step-by-step instructions for deploying the security update. Development teams should coordinate with their IT security departments to ensure timely deployment across all affected systems, including both production and staging environments.
This disclosure reinforces the importance of maintaining current security patches and implementing a robust vulnerability management program. Organizations maintaining dependencies on ASP.NET Core frameworks should review their update procedures and establish protocols for rapidly deploying critical security fixes across their digital infrastructure.