<!-- curated:true -->
# [HIGH] Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

**Source:** The Hacker News
**Published:** 2026-04-22
**Article:** https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html
**Curated:** Analyst-reviewed 2026-04-28

## Threat profile

Microsoft shipped an **out-of-band** update for **CVE-2026-40372** in ASP.NET Core — CVSS **9.1**, "Improper verification of cryptographic signature" leading to **privilege escalation**. Out-of-band releases mean Microsoft thinks the calendar can't wait — typically because exploitability is straightforward or in-the-wild activity is suspected.

ASP.NET Core is the runtime under most .NET web apps shipped in the last 5 years — public-facing APIs, internal admin portals, customer-facing web apps, microservices behind ingress. The vulnerability is in the auth/crypto layer, so the practical impact is **bypass of token / cookie / signature validation**: an attacker forges or replays a request and the app trusts it. We've upgraded severity to **HIGH** based on the auth bypass class.

This isn't OS-level patching — it's runtime / SDK patching. Many orgs still don't have a clean inventory of "every app server running which .NET runtime version" because deployment is decoupled from base-OS patching.

## Indicators of Compromise

- `CVE-2026-40372` — out-of-band patch from Microsoft (see MSRC advisory).
- Affected versions: ASP.NET Core 6.x, 7.x, 8.x — confirm exact version range from MSRC before scoping.
- _No exploit code or IOC bundle published at time of writing — patch first, then hunt for retroactive exploitation._

## MITRE ATT&CK (analyst-validated)

- **T1190** — Exploit Public-Facing Application
- **T1068** — Exploitation for Privilege Escalation
- **T1212** — Exploitation for Credential Access (signature bypass = forged auth tokens)
- **T1078** — Valid Accounts (post-bypass the attacker IS a valid account from the app's POV)
- **T1505.003** — Web Shell (most common post-RCE artefact on IIS / Kestrel)

## Recommended SOC actions (priority-ordered)

1. **Inventory every .NET / ASP.NET Core deployment.** Web farms, IIS sites, Kestrel processes, containerised microservices, Azure App Services. Pull `dotnet --list-runtimes` on every Windows server and Linux host; check container base images for `mcr.microsoft.com/dotnet/aspnet:*`.
2. **Patch the runtime, not just the app.** Update the ASP.NET Core shared framework + SDK. Containers must rebuild and redeploy.
3. **Hunt for web-shell drops on IIS / Kestrel** for the 30 days preceding patch. Auth-bypass + RCE-class flaws typically end with a `.aspx` or `.ashx` web shell.
4. **Audit privileged endpoints.** Anything that uses `[Authorize(Roles=...)]` or signed token validation — those are the primary leverage points. Check logs for unexpected admin actions.
5. **Vuln-scanner coverage check.** Make sure your scanner has the CVE-2026-40372 plugin published and you've re-scanned post-patch to confirm clean.

## Splunk SPL — vuln exposure

```spl
| tstats `summariesonly` count min(_time) AS firstTime max(_time) AS lastTime
    from datamodel=Vulnerabilities
    where Vulnerabilities.signature IN ("CVE-2026-40372")
    by Vulnerabilities.dest, Vulnerabilities.signature, Vulnerabilities.severity, Vulnerabilities.cve
| `drop_dm_object_name(Vulnerabilities)`
| sort - severity
```

## Splunk SPL — IIS / Kestrel spawning shells (post-exploit web shell)

```spl
| tstats `summariesonly` count min(_time) AS firstTime max(_time) AS lastTime
    from datamodel=Endpoint.Processes
    where Processes.parent_process_name IN ("w3wp.exe","dotnet.exe","Kestrel.exe","iisexpress.exe")
      AND Processes.process_name IN ("cmd.exe","powershell.exe","powershell_ise.exe","bash","sh",
                                       "wmic.exe","net.exe","whoami.exe","systeminfo.exe","curl.exe")
    by Processes.dest, Processes.user, Processes.parent_process_name,
       Processes.process_name, Processes.process
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
```

## Splunk SPL — suspicious file writes under wwwroot / app dirs

```spl
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.file_path IN ("*\\inetpub\\wwwroot\\*","*\\App_Data\\*","*\\bin\\*",
                                     "*/var/www/*","*/app/wwwroot/*")
      AND Filesystem.file_name IN ("*.aspx","*.ashx","*.asmx","*.cshtml","*.dll")
      AND Filesystem.action="created"
    by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
```

## Defender KQL — vuln exposure

```kql
DeviceTvmSoftwareVulnerabilities
| where CveId =~ "CVE-2026-40372"
| join kind=inner DeviceInfo on DeviceId
| project DeviceName, OSPlatform, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate
| order by VulnerabilitySeverityLevel desc
```

## Defender KQL — w3wp / dotnet child-process anomaly

```kql
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("w3wp.exe","dotnet.exe","Kestrel.exe","iisexpress.exe")
| where FileName in~ ("cmd.exe","powershell.exe","bash","sh","wmic.exe","net.exe",
                       "whoami.exe","systeminfo.exe","curl.exe","certutil.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine,
          FileName, ProcessCommandLine
| order by Timestamp desc
```

## Defender KQL — web shell file drops

```kql
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where FolderPath has_any ("\\inetpub\\wwwroot\\","\\App_Data\\","/var/www/","/app/wwwroot/")
| where FileName endswith ".aspx" or FileName endswith ".ashx"
     or FileName endswith ".asmx" or FileName endswith ".cshtml"
| where InitiatingProcessFileName !in~ ("msdeploy.exe","devops-agent.exe","github-runner.exe")
| project Timestamp, DeviceName, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

## Why this matters for your SOC

Out-of-band ASP.NET Core patches don't ship often — when they do, the practical risk is **every public-facing .NET app in your estate has a ~1-2 week window before the patch is universally deployed**. The auth-bypass class (improper signature verification) is particularly nasty because **logs look normal**: requests show successful auth, expected user IDs, valid-looking tokens. The only forensic tells are post-RCE artefacts — web shells, unexpected admin actions, anomalous child processes from `w3wp.exe`. The hunts above target the *post-exploitation* footprint because that's what's actually visible. Patch fast and assume any unpatched window was used.