VulnerabilityBleeping Computer
9.9 — CRITICAL
Microsoft releases emergency patches for critical ASP.NET flaw
Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. [...]
🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview
A critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) and an HTTP request smuggling bug (CVE-2025-55315) have been patched by Microsoft, with the former allowing unauthenticated attackers to gain SYSTEM privileges on affected devices. The vulnerabilities were discovered following user reports of decryption failures after installing the .NET 10.0.6 update.
⚙️Technical Details
💥Impact Assessment
Severity: Critical
Who Is at Risk
Customers whose applications use ASP.NET Core Data Protection and Windows Server systems
🛡️Recommended Actions
1Update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible
2Redeploy to fix the validation routine and ensure that any forged payloads are rejected automatically
3Monitor for suspicious activity and implement additional security controls to prevent exploitation of CVE-2025-55315
📦Affected Products
Microsoft Asp.Net CoreMicrosoft Visual Studio 2022Microsoft Asp.Net Core, Microsoft Visual Studio 2022
🔐NVD Verified DataVERIFIED
CVE-2026-40372 ↗CVSS 9.1 — CRITICAL
Attack Vector
NETWORK
Complexity
LOW
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NWeaknesses
CWE-347
CVE-2025-55315 ↗CVSS 9.9 — CRITICAL
Attack Vector
NETWORK
Complexity
LOW
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:LWeaknesses
CWE-444
Affected Products (CPE)
Microsoft Asp.Net CoreMicrosoft Visual Studio 2022
Read the full article
This is a curated summary. The complete article is available at Bleeping Computer.