[{"data":1,"prerenderedAt":103},["ShallowReactive",2],{"story-170985-en":3},{"id":4,"slug":5,"slugs":5,"currentSlug":5,"title":6,"subtitle":7,"coverImagesSmall":8,"coverImages":9,"content":20,"questions":21,"relatedArticles":43,"body_color":101,"card_color":102},"170985",null,"ASP.NET Core CVE-2026-40372 Critical Patch | E-Commerce Platform Security Risk","- CVSS 9.1 privilege escalation affects payment systems, authentication infrastructure, and customer data protection for e-commerce platforms built on .NET 10.0.0-10.0.6",[],[10,11,12,13,14,15,16,17,18,19],"https://cdn.neowin.com/news/images/uploaded/2024/03/1711570117_1605027417_microsoft_net_story.jpg","https://assets.esecurityplanet.com/uploads/2026/04/Microsoft2.png?f=jpeg","https://windowsreport.com/wp-content/uploads/2026/04/net-emegency-update-700x394.jpg","https://the420.in/wp-content/uploads/2026/04/microsoft-fire.jpg","https://gbhackers.com/wp-content/uploads/2026/04/Microsoft-Issues-Emergency-.NET-10.0.7-Update-to-Patch-Elevation-of-Privilege-Vulnerability-1-1-1.webp","https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicFz32BxYp5alZuPiEoKAF3RIggnHor6v_v_dH3D1SVuNRLYHRaRG3h3qbdnN0cqsV7WsDA-k499UtJy8kn_2t8nQ89RJiS3ouMSnYRg16CGdeZ-7sk2Liwr1s-vfqBEIJ5r0BkuliG3u08UUeRUZNHritoH83gpL5VMlqpHQ3mIyBcR5yByS5zjKotMU/s1600/Rockstar%E2%80%99s%20GTA%20Data%20Breach%20Exposes%2078.6%20Million%20Records%20Online%20(55)%20(1).webp","https://i0.wp.com/securityaffairs.com/wp-content/uploads/2020/01/microsoft.png?fit=960%2C480&ssl=1&resize=1280%2C720","https://www.csoonline.com/wp-content/uploads/2026/04/4162178-0-38077700-1776883062-MS-building.jpg?quality=50&strip=all","https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYMuDYXH3vQ6ycJCKfikptBR0jdQdnf-s36gDb0LYx3gvMwQOQLrt072KY5GZ0T2GRhyphenhyphenrfIg5qcCqjE0J_PtKQ1P409j_veWwKYoGsGssQcTotxI2-Dl8akDSyPif_j4LgFL3kWI6pvWKX5QBjsnIZIHdFzlAIRgxspuS4W0Ywe-Z63zmIyL7X39CG_3Ng/s1700-e365/dotnet.jpg","https://www.bleepstatic.com/content/hl-images/2025/03/12/Microsoft_headpic.jpg","**Critical Security Alert for E-Commerce Infrastructure**: Microsoft released emergency out-of-band patches on April 22, 2026, addressing **CVE-2026-40372**, a CVSS 9.1 privilege escalation vulnerability in ASP.NET Core Data Protection APIs affecting versions 10.0.0-10.0.6. This vulnerability directly threatens e-commerce platforms, payment processors, and customer authentication systems built on vulnerable .NET versions. The flaw stems from a regression in the ManagedAuthenticatedEncryptor library where HMAC validation tags are computed over incorrect payload bytes, allowing unauthenticated attackers to forge authentication payloads that bypass DataProtection authenticity checks. Attackers can decrypt previously-protected data in authentication cookies, antiforgery tokens, and OIDC state parameters—critical components of e-commerce checkout flows and customer account security.\n\n**Operational Impact on E-Commerce Sellers and Platforms**: The vulnerability enables attackers to authenticate as privileged users and induce applications to issue legitimately-signed tokens including session refreshes, API keys, and password reset links. For e-commerce operators, this means potential unauthorized access to customer accounts, fraudulent transactions, and credential compromise affecting payment processing systems. The vulnerability specifically impacts Linux, macOS, and non-Windows operating systems, plus Windows systems using managed cryptographic algorithms via the UseCustomCryptographicAlgorithms API. Critically, tokens forged during the vulnerable window (April 14-22, 2026) remain valid after upgrading to version 10.0.7 unless DataProtection key rings are rotated—a mandatory remediation step that many organizations may overlook. E-commerce platforms running ASP.NET Core 10.0.6 on cloud infrastructure (AWS, Azure, Google Cloud) or containerized deployments (Docker) face heightened risk, as the Data Protection Library is embedded in built binaries requiring full application rebuilds.\n\n**Seller and Platform Compliance Requirements**: Organizations must immediately upgrade to ASP.NET Core 10.0.7 and redeploy applications, then rotate DataProtection key rings to invalidate potentially compromised tokens. For Docker deployments, this requires rebuilding container images—a process that can take 2-4 hours for large-scale operations. Developers must audit application logs for user logouts and \"payload was invalid\" errors post-upgrade, review project files for vulnerable package references, and monitor for unusual login failures and authentication anomalies. The news reports indicate no active exploitation evidence currently, but the rapid succession of critical ASP.NET Core vulnerabilities (following October 2024's CVE-2025-55315 with CVSS 9.9 in Kestrel) underscores the critical importance of immediate patching cycles. E-commerce platforms supporting payment processing, customer authentication infrastructure, and session management must treat this as a P0 security incident requiring immediate remediation within 24-48 hours to prevent potential data breaches and customer account compromise.",[22,25,28,31,34,37,40],{"title":23,"answer":24,"author":5,"avatar":5,"time":5},"How does this vulnerability compare to previous ASP.NET Core security issues?","CVE-2026-40372 (CVSS 9.1) follows Microsoft's October 2024 patch for CVE-2025-55315 (CVSS 9.9) in the Kestrel web server, which received the highest-ever severity rating for ASP.NET Core security flaws and allowed authenticated attackers to hijack credentials and bypass security controls. The rapid succession of critical vulnerabilities underscores systemic issues in ASP.NET Core's security posture and the importance of immediate patching cycles. This incident echoes the infamous 2010 MS10-070 zero-day vulnerability in ASP.NET cryptographic error handling, indicating recurring patterns in cryptographic implementation failures. The news reports emphasize that organizations supporting e-commerce applications, payment processing systems, and customer authentication infrastructure must establish automated patching processes and security monitoring to respond to critical vulnerabilities within 24-48 hours.",{"title":26,"answer":27,"author":5,"avatar":5,"time":5},"What detection methods can identify if systems were exploited during the vulnerable window?","Organizations should check application logs for user logouts and 'payload was invalid' errors occurring post-upgrade, which indicate the system rejected forged payloads after patching. Review project files for Microsoft.AspNetCore.DataProtection version 10.0.6 references and run 'dotnet list package' commands to identify vulnerable dependencies. Monitor for unusual login failures, authentication anomalies, and unexpected privilege escalations during April 14-22, 2026. Check for suspicious API key usage, unexpected password reset requests, and unauthorized session refreshes. While Microsoft reports no evidence of active exploitation currently, the vulnerability's severity and the window of exposure (8 days) warrant comprehensive forensic analysis. Organizations should also audit customer account activity during the vulnerable period for signs of unauthorized access or fraudulent transactions.",{"title":29,"answer":30,"author":5,"avatar":5,"time":5},"What immediate actions must e-commerce organizations take to remediate this vulnerability?","Organizations must immediately upgrade to ASP.NET Core 10.0.7 and redeploy applications within 24-48 hours. For Docker deployments, rebuild container images since the Data Protection Library is embedded in binaries. Rotate DataProtection key rings to invalidate tokens forged during April 14-22, 2026. Audit application logs for user logouts and 'payload was invalid' errors post-upgrade. Review project files for Microsoft.AspNetCore.DataProtection version 10.0.6 references using 'dotnet list package' commands. Expire all authentication cookies and tokens issued during the vulnerable window. Monitor for unusual login failures and authentication anomalies. Microsoft's senior program manager Rahul Bhandari emphasized that forged payloads are automatically rejected only after deployment of the patched version, making immediate action critical for preventing account compromise.",{"title":32,"answer":33,"author":5,"avatar":5,"time":5},"Why do tokens remain valid after upgrading to version 10.0.7?","Tokens forged by attackers during the vulnerable window (April 14-22, 2026) remain valid after upgrading because the vulnerability allowed attackers to create legitimately-signed tokens including session refreshes, API keys, and password reset links using forged payloads. Simply patching the code does not invalidate these previously-issued tokens. Organizations must rotate their DataProtection key rings to force re-authentication and invalidate all tokens created during the vulnerable period. Microsoft advises auditing application-level long-lived artifacts created during vulnerable periods and rotating them at the application level, as these artifacts persist beyond key rotation. This two-step remediation (patching + key rotation) is mandatory for e-commerce platforms to ensure complete security restoration.",{"title":35,"answer":36,"author":5,"avatar":5,"time":5},"What is CVE-2026-40372 and how does it affect e-commerce platforms?","CVE-2026-40372 is a CVSS 9.1 privilege escalation vulnerability in ASP.NET Core Data Protection APIs (versions 10.0.0-10.0.6) that allows unauthenticated attackers to forge authentication payloads and decrypt protected data in authentication cookies, antiforgery tokens, and session parameters. For e-commerce platforms, this means attackers can bypass customer authentication, forge session tokens, and potentially access payment processing systems and customer accounts. The vulnerability stems from a regression where HMAC validation tags are computed over incorrect payload bytes, allowing forged payloads to pass authenticity checks. Microsoft released patched version 10.0.7 on April 22, 2026, but organizations must also rotate DataProtection key rings to invalidate tokens forged during the vulnerable window (April 14-22, 2026).",{"title":38,"answer":39,"author":5,"avatar":5,"time":5},"Which e-commerce platforms and systems are at risk from this vulnerability?","E-commerce platforms built on ASP.NET Core 10.0.0-10.0.6 running on Linux, macOS, or non-Windows operating systems are at highest risk, particularly cloud-hosted applications on AWS, Azure, or Google Cloud. Docker containerized deployments are especially vulnerable since the Data Protection Library is embedded in built binaries. Payment processing systems, customer authentication infrastructure, and session management components are primary targets. Windows applications using default DataProtection encryptors are unaffected, but those using managed cryptographic algorithms via the UseCustomCryptographicAlgorithms API remain vulnerable. Organizations targeting netstandard2.0 or net462 frameworks for Windows compatibility are also affected. The vulnerability enables attackers to forge session refreshes, API keys, and password reset links that remain valid after patching unless key rings are rotated.",{"title":41,"answer":42,"author":5,"avatar":5,"time":5},"How does this vulnerability impact Docker and containerized e-commerce deployments?","Docker containerized deployments face heightened risk because the Data Protection Library is embedded in built binaries, requiring full application rebuilds to patch the vulnerability. Organizations cannot simply update the NuGet package; they must rebuild container images, which can take 2-4 hours for large-scale operations. This extended remediation window increases exposure risk for containerized e-commerce platforms. Additionally, container orchestration platforms (Kubernetes, Docker Swarm) must coordinate rolling updates to prevent service disruption during patching. Organizations must also ensure DataProtection key rings are rotated across all container instances to invalidate tokens forged during the vulnerable period. The complexity of containerized remediation makes this vulnerability particularly critical for cloud-native e-commerce platforms relying on Docker deployments.",[44,49,54,59,63,68,73,77,82,87,92,96],{"id":45,"title":46,"source":47,"logo":19,"time":48},789630,"Microsoft releases emergency patches for critical ASP.NET flaw","https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-security-updates-for-critical-aspnet-flaw/","18H AGO",{"id":50,"title":51,"source":52,"logo":16,"time":53},789550,"Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw","https://securityaffairs.com/191130/security/microsoft-out-of-band-updates-fixed-critical-asp-net-core-privilege-escalation-flaw.html","12H AGO",{"id":55,"title":56,"source":57,"logo":12,"time":58},789545,"Microsoft Ships Emergency .NET Patch After Severe Security Risk Discovered","https://windowsreport.com/microsoft-ships-emergency-net-patch-after-severe-security-risk-discovered/","19H AGO",{"id":60,"title":61,"source":62,"logo":14,"time":58},789546,"Microsoft Issues Emergency .NET 10.0.7 Update to Patch Elevation of Privilege Vulnerability","https://gbhackers.com/microsoft-issues-emergency-net-10-0-7-update/",{"id":64,"title":65,"source":66,"logo":10,"time":67},789543,"Microsoft releases emergency out-of-band .NET update to patch severe bug","https://www.neowin.net/news/microsoft-releases-emergency-out-of-band-net-update-to-patch-severe-bug/","1D AGO",{"id":69,"title":70,"source":71,"logo":5,"time":72},789631,"Microsoft issues emergency update for macOS and Linux ASP.NET threat","https://arstechnica.com/security/2026/04/microsoft-issues-emergency-update-for-macos-and-linux-asp-net-threat/","6H AGO",{"id":74,"title":75,"source":76,"logo":15,"time":48},789544,"Microsoft Releases Emergency .NET 10.0.7 Update to Fix Critical Privilege Escalation Flaw","https://cyberpress.org/microsoft-releases-emergency-net-10-0-7-update-to-fix/",{"id":78,"title":79,"source":80,"logo":17,"time":81},789632,"Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core","https://www.csoonline.com/article/4162178/microsoft-issues-out-of-band-patch-for-critical-security-flaw-in-update-to-asp-net-core.html","7H AGO",{"id":83,"title":84,"source":85,"logo":11,"time":86},789549,"CVE-2026-40372: Microsoft Patches ASP.NET Core Privilege Escalation Vulnerability","https://www.esecurityplanet.com/threats/cve-2026-40372-microsoft-patches-asp-net-core-privilege-escalation-vulnerability/","10H AGO",{"id":88,"title":89,"source":90,"logo":5,"time":91},789547,"Microsoft Emergency .NET 10.0.7 Update to Patch Elevation of Privilege Vulnerability","https://cybersecuritynews.com/emergency-net-10-0-7-update-patch/","22H AGO",{"id":93,"title":94,"source":95,"logo":13,"time":86},789548,"Microsoft Issues Emergency Patch for Critical ASP.NET Core Flaw","https://the420.in/microsoft-aspnet-core-cve-2026-40372-emergency-patch-cybersecurity/",{"id":97,"title":98,"source":99,"logo":18,"time":100},789629,"Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug","https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html","17H AGO","#1f92f8ff","#1f92f84d",1776925865608]