CVE-2026-40372
Microsoft · ASP.NET Core and Visual Studio 2026
Improper verification of cryptographic signatures in Microsoft ASP.NET Core allows unauthorized attackers to achieve privilege escalation over the network.
Executive summary
A critical cryptographic signature verification flaw in Microsoft ASP.NET Core and Visual Studio 2026 permits unauthorized network-based privilege escalation.
Vulnerability
The vulnerability stems from CWE-347, where the software fails to properly verify cryptographic signatures, allowing an unauthorized attacker to bypass security controls and elevate privileges.
Business impact
The ability for an unauthorized remote attacker to elevate privileges carries a CVSS score of 9.1, indicating a high risk of total system compromise. This exposure can result in unauthorized access to sensitive data, modification of system configurations, and complete loss of control over the affected environment.
Remediation
Immediate Action: Apply the latest security patches provided by Microsoft to update ASP.NET Core to version 10.0.7 or later and Visual Studio 2026 to version 18.5.2 or later.
Proactive Monitoring: Monitor authentication logs and system access records for anomalous privilege escalation patterns or unexpected administrative actions.
Compensating Controls: Restrict network access to vulnerable services using firewall rules and implement robust identity and access management (IAM) policies to limit the potential blast radius of an unauthorized account.
Exploitation status
Public Exploit Available: Not specified.
Analyst recommendation
Given the ease of exploitability and the high impact of privilege escalation, this vulnerability must be treated as a priority for immediate patching. Organizations should identify all instances of ASP.NET Core and Visual Studio within their infrastructure and verify that the latest patches have been applied across all production environments.