Back to Intelligence

CVE-2026-40372: ASP.NET Core Privilege Escalation — Detection, Patching, and Verification Guide

SA
Security Arsenal Team
April 22, 2026
5 min read

Microsoft has released an out-of-band security update addressing a critical privilege escalation vulnerability in ASP.NET Core, tracked as CVE-2026-40372. With a CVSS score of 9.1, this vulnerability represents a significant risk to organizations relying on the .NET ecosystem for their web infrastructure.

The flaw stems from improper verification of cryptographic signatures. In plain terms: an attacker can bypass the integrity checks designed to ensure only trusted, signed code executes within the application context. If exploited, this allows for unauthorized privilege gain, potentially pivoting from a web application compromise to full system control. Defenders must treat this as an immediate priority, as the barrier to exploitation is low relative to the impact.

Technical Analysis

Affected Products: ASP.NET Core (multiple versions, check advisory specifics for your platform).

Vulnerability Details:

  • CVE ID: CVE-2026-40372
  • CVSS Score: 9.1 (Critical)
  • Severity: Important
  • Vector: CWE-347: Improper Verification of Cryptographic Signature

Attack Mechanics: ASP.NET Core relies on strong name signing or other cryptographic signatures to verify the authenticity of loaded assemblies. CVE-2026-40372 involves a flaw in this verification logic.

  1. Initial Access: An attacker gains the ability to place a file on the target system (e.g., via a web shell, compromised local account, or upload vulnerability).
  2. Bypass: The attacker crafts a malicious assembly. Due to the improper verification, the ASP.NET runtime accepts this assembly as valid despite it failing standard cryptographic integrity checks.
  3. Execution & Escalation: The application loads the malicious assembly. Because the assembly runs within the context of the application (often with elevated service account privileges), the attacker escalates their privileges from a low-privileged user to the identity of the application pool.

Exploitation Status: While specific in-the-wild exploitation has not been widely reported at the time of this writing, the complexity of developing a proof-of-concept for a signature bypass is low. We anticipate active scanning and exploitation attempts within days.

Detection & Response

Detecting this vulnerability requires identifying the exploitation behavior rather than the vulnerability itself (since the flaw is in the framework logic). We are hunting for ASP.NET processes loading unsigned or suspicious DLLs, or the execution of unauthorized child processes.

Sigma Rules

YAML
---
title: ASP.NET Core Suspicious Unsigned DLL Load
id: 82e4a123-5b67-4c89-9e10-1f2a3b4c5d6e
status: experimental
description: Detects ASP.NET Core processes (dotnet.exe) loading unsigned DLLs from user-writable paths, potentially exploiting CVE-2026-40372 to bypass signature checks.
references:
  - https://msrc.microsoft.com/advisory
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: image_load
  product: windows
detection:
  selection:
    Image|endswith:
      - '\dotnet.exe'
      - '\w3wp.exe'
    Signed: 'false'
  filter_legit:
    ImageLoaded|contains:
      - '\Windows\Microsoft.NET\'
      - '\Program Files\'
  condition: selection and not filter_legit
falsepositives:
  - Legacy application plugins without signatures
level: high
---
title: ASP.NET Process Spawning Shell
id: 93f5b234-6c78-4d90-0f21-2g3h4i5j6k7l
status: experimental
description: Detects the dotnet process spawning cmd.exe or powershell.exe, typical post-exploitation behavior after privilege escalation.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\dotnet.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Administrative troubleshooting
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for unsigned DLLs loaded by ASP.NET processes
DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("dotnet.exe", "w3wp.exe")
| where IsSigned == false
| where FolderPath !contains @"C:\Windows\Microsoft.NET\" 
   and FolderPath !contains @"C:\Program Files\"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SHA256
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for ASP.NET processes with unsigned modules
SELECT Pid, Name, Exe, CommandLine
FROM pslist()
WHERE Name =~ "dotnet" OR Name =~ "w3wp"
SELECT * FROM foreach(
    SELECT Pid FROM pslist() WHERE Name =~ "dotnet" OR Name =~ "w3wp"
)
SELECT *
FROM process_loader(pid=Pid)
WHERE SignedStatus != "SIGNED"
LIMIT 10

Remediation Script

PowerShell
# PowerShell script to validate ASP.NET Core versions and check for patch status
# Note: Replace 'TargetPatchVersion' with the specific version required by Microsoft's advisory.

$TargetPatchVersion = "9.0.2" # Example version, verify against official advisory
$Vulnerable = $false

Write-Host "[+] Checking installed ASP.NET Core Runtimes..." -ForegroundColor Cyan

# Get list of runtimes using dotnet --list-runtimes
try {
    $runtimes = & dotnet --list-runtimes 2>&1
    if ($LASTEXITCODE -eq 0) {
        foreach ($line in $runtimes) {
            if ($line -match "Microsoft.AspNetCore.App\s+(\d+\.\d+\.\d+)") {
                $version = [version]$Matches[1]
                Write-Host "Found: Microsoft.AspNetCore.App $version" -ForegroundColor White
                
                # Basic version check logic (Adjust as per specific OOB update requirements)
                if ($version -lt [version]$TargetPatchVersion) {
                    Write-Host "[ALERT] Vulnerable version detected: $version" -ForegroundColor Red
                    $Vulnerable = $true
                } else {
                    Write-Host "[OK] Version $version appears patched." -ForegroundColor Green
                }
            }
        }
    }
} catch {
    Write-Host "[-] .NET CLI not found or error checking runtimes." -ForegroundColor Yellow
}

if ($Vulnerable) {
    Write-Host "[!] ACTION REQUIRED: Apply Microsoft OOB Update for CVE-2026-40372 immediately." -ForegroundColor Red
} else {
    Write-Host "[+] No vulnerable runtimes detected based on defined threshold." -ForegroundColor Green
}

Remediation

  1. Patch Immediately: Apply the out-of-band update released by Microsoft. Do not wait for the standard "Patch Tuesday" cycle.
  2. Specific Versions: Ensure you are updating to the patched versions of .NET (e.g., .NET 8.0.x, .NET 9.0.x) specified in the CVE advisory. The update addresses the logic flaw in the cryptographic signature verification.
  3. Restart Services: After patching, restart all ASP.NET Core applications and web servers (IIS/Kestrel) to ensure the patched runtime binaries are loaded into memory.
  4. Verify: Use the provided PowerShell script to verify that the patched runtime versions are active on all servers in your environment.
  5. Advisory Reference: Consult the official Microsoft Security Response Center (MSRC) advisory for CVE-2026-40372 for the exact download links and registry keys.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureasp.net-corecve-2026-40372privilege-escalation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action