Microsoft Fixes Critical Security Vulnerability in ASP.NET Core

Microsoft released an out-of-band update on April 22, 2026, to address a critical security vulnerability in ASP.NET Core. This vulnerability, identified as CVE-2026-40372, allows attackers to escalate privileges. The CVSS score for this vulnerability is 9.1 out of a maximum of 10.0, classifying it as extremely critical. The vulnerability was discovered and reported by an anonymous researcher.

Microsoft has classified the vulnerability as "important," indicating the potential risks to affected systems. The exact nature of the vulnerability is described as "insufficient verification of cryptographic operations," meaning that attackers may gain unauthorized access to sensitive data. The update has been made available for all supported versions of ASP.NET Core. Microsoft recommends that all users install the updates promptly to protect their systems from potential attacks. The vulnerability affects both on-premises and cloud-based applications that rely on ASP.NET Core.

The release of the update comes at a critical time, as cyberattacks on web applications have increased in recent months. Security researchers warn that attackers are actively seeking vulnerabilities in widely used software solutions to exploit them. Microsoft's swift response to this discovery demonstrates the urgency with which such security issues must be addressed. The ASP.NET Core platform is frequently used for developing web applications, underscoring the importance of addressing this vulnerability. Companies relying on this technology should ensure that their systems are up to date to minimize security risks.

Microsoft has previously emphasized the importance of regularly installing security updates. The vulnerability could potentially affect a wide range of applications used across various industries, including financial services, healthcare, and e-commerce. Experts advise not only updating the software but also reviewing security policies within the organization to ensure that all employees are informed about the latest threats. Microsoft has announced that further information regarding the vulnerability and its specific impacts on different versions of ASP.NET Core will be released in the coming days. The security community will closely monitor the situation to ensure that all affected users take the necessary steps to protect their systems.

The release of the update is part of Microsoft's ongoing efforts to ensure the security of its products. The company has invested significant resources in improving its security infrastructure in recent years. The response to the discovery of CVE-2026-40372 is an example of this proactive security strategy. Microsoft plans to roll out the update to all users by the end of April 2026. According to the company, the CVE-2026-40372 vulnerability affects a wide range of systems worldwide.