Emergency .NET Update: Critical Data Protection Flaw Allows Authentication Forgery
Do Son 
Microsoft has issued an urgent out-of-band (OOB) security update for .NET 10 to address a critical vulnerability that could allow attackers to bypass authentication and escalate privileges. The update, version 10.0.7, arrives just after the standard April Patch Tuesday release following reports of severe cryptographic failures.
The flaw, tracked as CVE-2026-40372, carries a CVSS score of 9.1 and targets the Microsoft.AspNetCore.DataProtection library—the very core of how ASP.NET Core secures cookies and sensitive data.
The vulnerability stems from a bug in the DataProtection NuGet packages (versions 10.0.0 through 10.0.6). Attackers can forge authentication cookies to log in as highly privileged users. Once authenticated as a “privileged user,” an attacker could induce the application to issue legitimate long-lived tokens, such as API keys, password reset links, or session refresh tokens. Some protected payloads can be decrypted, potentially exposing secrets like database connection strings or third-party API keys stored within protected outputs.
The vulnerability primarily impacts applications running on Linux, macOS, or other non-Windows operating systems.
| Configuration | Vulnerable Status |
| Running on Windows |
Not Affected |
| .NET 8.0 or 9.0 |
Not Affected |
| .NET 10 (Non-Windows) |
Vulnerable if using versions 10.0.0–10.0.6 |
| .NET Framework/Standard |
Vulnerable if consuming affected 10.0.x assets |
Because the vulnerability allows attackers to generate legitimate tokens that remain valid even after patching, a simple software update may not be enough. Microsoft recommends a multi-step remediation process:
1. Patch and Redeploy
Immediately upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7. This fix ensures that forged payloads—which rely on all-zero HMAC bytes—are correctly rejected.
2. Rotate the Key Ring
If your application was exposed to the internet while vulnerable, you must rotate the DataProtection key ring. This process revokes existing keys and forces the generation of new ones, effectively invalidating any tokens an attacker may have forged.
Note: This will sign out all current users and reissue all antiforgery tokens.
3. Audit Long-Lived Artifacts
Check for any identity or capability artifacts created during the vulnerable window. This includes:
- API keys and refresh tokens stored in databases.
- Password reset links or email-confirmation tokens that haven’t expired.
- Plaintext secrets (like connection strings) stored inside IDataProtector.Protect outputs.
4. Review LogsSearch your web server logs for anomalous traffic spikes. A padding-oracle attack is “noisy”—it requires an immense volume of requests to recover even a single byte of data. High-volume traffic targeting a single endpoint with varying cookie values is a strong indicator of an attempted exploit.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
