Microsoft doesn't issue emergency, out-of-band security patches very often — so when they do, it's time to pay attention. On April 22, 2026, The Hacker News reported that Microsoft pushed an unscheduled update to fix a serious vulnerability in ASP.NET Core, a popular framework used to build websites and web applications. The flaw, tracked as CVE-2026-40372, carries a CVSS severity score of 9.1 out of 10 — squarely in "critical" territory.
If you or your business runs a website or web application built on ASP.NET Core, this one deserves your full attention today.
What Is ASP.NET Core, in Plain English?
ASP.NET Core is a free, open-source framework made by Microsoft that developers use to build websites, web APIs, and web applications. Think of it as the engine under the hood of many business websites — handling logins, shopping carts, customer portals, and more. If your company's website was custom-built by a developer (rather than hosted on a simple platform like Squarespace), there's a reasonable chance it was built with ASP.NET Core.
Many Yuba City small businesses use web applications powered by frameworks like this for things like customer management portals, online ordering systems, or staff dashboards. If you're not sure what your site is built on, it's worth asking your developer.
What Exactly Is the Vulnerability?
Here's the technical situation broken down simply.
ASP.NET Core has a feature called Data Protection, which is responsible for encrypting and validating sensitive data — things like login cookies (the little files that keep you signed into a website) and antiforgery tokens (security checks that prevent fake form submissions).
According to Security Affairs, a bug in Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 caused the system to incorrectly validate a security check called an HMAC — essentially a cryptographic signature that proves data hasn't been tampered with. In some cases, the system was simply ignoring the check entirely.
What does that mean in practice? An attacker who knows about this flaw could:
- Forge login cookies to impersonate other users — including administrators
- Decrypt protected data that should have been locked away
- Gain SYSTEM-level privileges on the server
- Access sensitive files and modify data
As Microsoft stated in their advisory: "Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network."
The good news is that exploiting this flaw does not let an attacker crash your server or take it fully offline — availability is not impacted. But account takeover and data exposure are very much on the table.
Are You Affected? Three Things to Check
According to The Hacker News, Microsoft confirmed that exploitation requires all three of the following conditions to be true:
- Your application uses
Microsoft.AspNetCore.DataProtectionversion 10.0.6 from NuGet — either directly, or through a package that depends on it (such asMicrosoft.AspNetCore.DataProtection.StackExchangeRedis). - The NuGet copy of that library is actually loaded at runtime — not a different version bundled with the .NET runtime itself.
- The application runs on a non-Windows operating system — specifically Linux, macOS, or similar.
If all three boxes are checked, your application is vulnerable. If your app runs on Windows, or uses a different version of the DataProtection package, you are not currently at risk from this specific flaw.
Not sure how to check? Look at your project's .csproj file or packages.lock.json for the Microsoft.AspNetCore.DataProtection package version. Or ask whoever manages your server.
Step-by-Step: How to Patch This Vulnerability
Here's a straightforward action plan for small business owners and developers:
Step 1 — Update to ASP.NET Core 10.0.7
Microsoft fixed the vulnerability in ASP.NET Core version 10.0.7. Update the Microsoft.AspNetCore.DataProtection package (and any dependent packages) to 10.0.7 via NuGet Package Manager or by running:
dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7
Step 2 — Redeploy Your Application
After updating, rebuild and redeploy your application to your server. Simply updating the package file without redeploying won't protect you.
Step 3 — Rotate Your DataProtection Key Ring (Critical!)
This step is easy to miss, but it matters. Security Affairs reports that Microsoft explicitly warned: "Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated." In other words, if an attacker already forged tokens before you patched, those tokens could still work after the update — unless you rotate your keys. Consult your developer or hosting provider on how to rotate the DataProtection key ring for your specific setup.
Step 4 — Review Your Logs
If you have access to application or server logs, scan for unusual login activity or privilege escalations during the window when you were running versions 10.0.0–10.0.6. Look for logins from unfamiliar IP addresses or unexpected admin-level activity.
Step 5 — Invalidate Active Sessions
Out of an abundance of caution, consider forcing all active user sessions to expire. This logs everyone out and requires them to log back in with fresh, untainted session tokens.
A Note on Timing
Microsoft released this as an out-of-band patch — meaning it wasn't part of their regular monthly "Patch Tuesday" cycle. That's a signal of urgency. While Microsoft assessed that exploitation in the wild is currently less likely, that status can change quickly once a vulnerability is public and its mechanics are understood by bad actors.
Don't Know Where to Start?
If your business runs a custom web application and you're genuinely not sure whether you're affected — or you need help walking through the patching process — we're happy to take a look. Our business IT services are designed for exactly these situations, and we work with local businesses across the Yuba City area to keep their systems and web infrastructure secure. Give us a call at (530) 645-7007 during business hours.
The bottom line: if you're running ASP.NET Core 10.x on Linux or macOS, patch today. A CVSS 9.1 flaw that lets attackers impersonate admin users is not something to leave on the back burner.
