Introduction
On Tuesday evening, Microsoft released an emergency patch for ASP.NET Core to address a high-severity vulnerability that puts macOS and Linux servers at risk. Tracked as CVE-2026-40372, this flaw affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package. An unauthenticated attacker can exploit it to gain SYSTEM privileges—the highest level of access on a machine—by forging authentication payloads during the HMAC validation process. Even after applying the patch, any credentials already created by an attacker remain valid until manually removed. This guide walks you through the necessary steps to secure your environment and eliminate any lingering threats.
What You Need
- Access to the server running ASP.NET Core (macOS or Linux)
- Administrative (sudo) privileges
- Knowledge of the installed ASP.NET Core version and the
Microsoft.AspNetCore.DataProtectionpackage version - A package manager (e.g.,
dotnetCLI, NuGet Package Manager, or system package manager) - A backup of your current application and data protection keys (recommended)
- Text editor or command line for configuration changes
Step-by-Step Instructions
Step 1: Identify the Affected Package Version
First, confirm whether your project uses a vulnerable version of the Microsoft.AspNetCore.DataProtection package. Run the following command in your project directory:
dotnet list package --include-transitiveLook for Microsoft.AspNetCore.DataProtection in the output. If the version is between 10.0.0 and 10.0.6 (inclusive), you are vulnerable. Note the exact version number—you’ll need it later to verify the update.
Step 2: Update the Package to a Secure Version
Microsoft has released a patched version. Update the affected package using the following command:
dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7If you are using a global package cache, you may need to clear it first:
dotnet nuget locals all --clearAfter updating, rebuild your application:
dotnet buildVerify the new version by running dotnet list package again. Ensure it reports 10.0.7 or later.
Step 3: Restart the Application Service
For the update to take effect, restart the ASP.NET Core application. Depending on your hosting method:
- Systemd service:
sudo systemctl restart your-app-name - Docker container:
docker restart container-name - Direct run: Stop the process (Ctrl+C) and restart with
dotnet run
Step 4: Purge Forged Credentials
This vulnerability allows attackers to create authentication credentials that remain valid even after the patch. You must delete all data protection keys that may have been compromised. Data protection keys are stored in a location defined by your configuration—commonly:
~/.aspnet/DataProtection-Keys/var/db/aspnet/DataProtection-Keys- A custom directory specified in your
appsettings.jsonorStartup.cs
To find the exact location, check your appsettings.json for a setting like:
"DataProtection": {
"KeyDirectory": "/path/to/keys"
}If not specified, the default varies by OS. Run the following command to locate keys:
find / -type d -name "DataProtection-Keys" 2>/dev/nullOnce found, back up the entire directory, then delete all key files:
sudo rm -rf /path/to/DataProtection-Keys/*After deletion, restart the application again. ASP.NET Core will automatically generate new keys.
Step 5: Invalidate Existing Sessions and Tokens
Any active sessions or tokens created before the key rotation are now invalid. Force all users to re-authenticate. For web applications:
- Clear the application’s cookie by setting an immediate expiry in
Startup.csor deploy a session reset endpoint. - If using IdentityServer or JWT, revoke all issued tokens by updating the token revocation store (e.g., change the signing key or clear the refresh token table).
Implement a temporary maintenance page to prevent active users from hitting stale sessions.
Step 6: Audit System for Signs of Compromise
Since the vulnerability enables SYSTEM-level access, check for:
- New or modified user accounts (especially with elevated privileges)
- Unauthorized processes or services
- Suspicious log entries (authentication failures, odd times, or repeated attempts)
Run the following commands on macOS/Linux:
sudo lastlog
sudo journalctl -xe | grep -i 'aspx\|dataprotection'If you find any indicator of compromise, escalate to your incident response team.
Step 7: Monitor and Verify
Finally, monitor your application logs for any further anomalies. Set up alerts for unauthorized access attempts. Confirm that the patch has been applied across all environments (development, staging, production). Run a vulnerability scan using tools like dotnet-vulnerability-scan:
dotnet tool install --global dotnet-vulnerability-scan
dotnet vulnerability-scanReview the output to ensure no other packages are affected by related CVEs.
Tips
- Back up keys before deletion: In case of accidental loss, you can restore the old keys until new ones are generated.
- Automate the update process: Use continuous integration pipelines to check for vulnerable packages and fail builds.
- Rotate keys regularly: Even without an incident, periodic key rotation limits exposure.
- Segment your environments: Ensure development and staging use separate data protection keys from production.
- Inform your team: Share this guide with all developers and system administrators responsible for ASP.NET Core deployments.