Back to Intelligence

CVE-2026-40372: Microsoft ASP.NET Core Privilege Escalation — Detection and Remediation

SA
Security Arsenal Team
April 24, 2026
6 min read

Introduction

Microsoft has released an out-of-band (OOB) security update to address a critical vulnerability in ASP.NET Core, tracked as CVE-2026-40372. Assigned a CVSS score of 9.1, this flaw represents a severe risk to enterprise web environments. The vulnerability allows an attacker to bypass standard security boundaries and elevate privileges to the SYSTEM level on the underlying host operating system.

For defenders, this is a "drop-everything" moment. Successful exploitation of this vulnerability effectively grants an attacker total control over the web server, allowing them to disable security controls, install persistent backdoors, and move laterally into the internal network. Given that ASP.NET Core powers a significant portion of modern enterprise web infrastructure, the attack surface is substantial, and the urgency to patch is high.

Technical Analysis

  • CVE ID: CVE-2026-40372
  • CVSS Score: 9.1 (Critical)
  • Affected Product: ASP.NET Core
  • Fixed Version: 10.0.7
  • Platform: Windows (primarily, due to the nature of SYSTEM privilege escalation)

The Vulnerability

CVE-2026-40372 is a privilege escalation vulnerability residing within the ASP.NET Core framework. While the specific technical mechanics of the flaw (e.g., specific insecure method call or logic error) are often disclosed in detail post-patch to prevent widespread exploitation, the impact is clear: an authenticated attacker or a threat actor who has already gained a foothold on the web application can leverage this flaw to break out of the application sandbox.

In a typical ASP.NET Core deployment on Windows, the application runs under the context of an IIS Application Pool or a specific service account (e.g., IIS AppPool\DefaultAppPool or IIS_IUSRS). This account is deliberately restricted to prevent damage to the operating system if the web app is compromised. CVE-2026-40372 allows an attacker to bypass these restrictions and execute code with NT AUTHORITY\SYSTEM privileges.

Exploitation and Impact

The attack chain typically involves:

  1. Initial Access: The attacker exploits a web vulnerability (e.g., SQL Injection, RCE, or deserialization) or uploads a webshell to the vulnerable ASP.NET Core application.
  2. Privilege Escalation: The attacker triggers the vulnerability in ASP.NET Core (pre-10.0.7) to elevate the context of their process or spawned command from the low-privileged AppPool user to SYSTEM.
  3. Objective Complete: With SYSTEM access, the attacker can dump credentials (LSASS), install rootkits, disable AV/EDR, or create new administrative users.

Exploitation Status

As of the OOB release, Microsoft has deemed the severity high enough to break the standard Patch Tuesday cadence. While active exploitation in the wild has not been explicitly confirmed in the initial advisory, the release of a patch for a CVSS 9.1 flaw usually signals that Microsoft considers the risk of imminent exploitation to be high. Defenders should assume PoC exploit code is available or will be available shortly.

Detection & Response

Detecting this specific CVE requires identifying the result of the exploitation: unexpected processes spawning from the web server context with SYSTEM privileges or the web server process itself spawning shells.

Sigma Rules

The following Sigma rules focus on detecting the abnormal process execution patterns associated with successful privilege escalation from a web server context (dotnet.exe or w3wp.exe) to a system shell.

YAML
---
title: ASP.NET Core Spawning Windows Shell
id: 85a3c4d1-2b1a-4c5e-9f6a-1b2c3d4e5f6a
status: experimental
description: Detects ASP.NET Core worker processes (dotnet.exe) or IIS worker processes (w3wp.exe) spawning cmd.exe or powershell.exe. This behavior is indicative of web shell activity or privilege escalation exploitation.
references:
 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372
author: Security Arsenal
date: 2025/02/20
tags:
 - attack.privilege_escalation
 - attack.t1068
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|endswith:
     - '\dotnet.exe'
     - '\w3wp.exe'
   Image|endswith:
     - '\cmd.exe'
     - '\powershell.exe'
     - '\pwsh.exe'
 condition: selection
falsepositives:
 - Legitimate administrative debugging (rare in production)
 - Specific developer tooling pipelines
level: high
---
title: System User Spawned by Web Application Process
date: 2025/02/20
id: 9f4e2d1c-3a5b-4f6e-8d7c-1a2b3c4d5e6f
status: experimental
description: Detects processes running as NT AUTHORITY\SYSTEM (or high integrity) spawned by web server processes, potentially indicating successful exploitation of CVE-2026-40372.
author: Security Arsenal
references:
 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372
tags:
 - attack.privilege_escalation
 - attack.t1068
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|endswith:
     - '\dotnet.exe'
     - '\w3wp.exe'
   User|contains:
     - 'AUTHORITY\SYSTEM'
 condition: selection
falsepositives:
 - Unknown (highly suspicious activity)
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for dotnet.exe or w3wp.exe spawning common LOLBins (Living Off The Land Binaries) often used post-exploitation.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("dotnet.exe", "w3wp.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "reg.exe", "whoami.exe", "net.exe", "net1.exe", "tasklist.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

This Velociraptor artifact hunts for suspicious parent-child process relationships on the endpoint.

VQL — Velociraptor
-- Hunt for web processes spawning shells or system utilities
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.Username AS ParentUser
FROM pslist()
WHERE Parent.Name =~ "dotnet.exe"
   OR Parent.Name =~ "w3wp.exe"
   AND Name =~ "(cmd|powershell|pwsh|cmd|net|whoami)\.exe"

Remediation Script (PowerShell)

Use this script to audit your Windows Servers for the presence of the vulnerable ASP.NET Core runtime (versions prior to 10.0.7) and verify the patch.

PowerShell
# Check for ASP.NET Core 10.0 Runtime versions
# This script checks if the vulnerable runtime is installed before the 10.0.7 patch.

$TargetPatchVersion = "10.0.7"
$VulnerableRegex = "10.0\.[0-6]"
$RiskDetected = $false

Write-Host "[+] Checking for ASP.NET Core Runtimes..." -ForegroundColor Cyan

# Check standard runtime locations (x64 and x86)
$Paths = @(
    "${env:ProgramFiles}\dotnet\shared\Microsoft.AspNetCore.App",
    "${env:ProgramFiles(x86)}\dotnet\shared\Microsoft.AspNetCore.App"
)

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning path: $Path" -ForegroundColor Yellow
        $Versions = Get-ChildItem -Path $Path -Directory | Select-Object Name
        
        foreach ($Ver in $Versions) {
            # Check for vulnerable versions matching 10.0.0 - 10.0.6
            if ($Ver.Name -match $VulnerableRegex) {
                Write-Host "[!] VULNERABLE VERSION FOUND: $($Ver.Name)" -ForegroundColor Red
                Write-Host "    Path: $Path\$($Ver.Name)"
                $RiskDetected = $true
            }
            # Check for patched version
            elseif ($Ver.Name -eq $TargetPatchVersion) {
                Write-Host "[*] PATCHED VERSION FOUND: $($Ver.Name)" -ForegroundColor Green
            }
        }
    }
}

if (-not $RiskDetected) {
    Write-Host "[+] No vulnerable ASP.NET Core 10.0.x runtimes found." -ForegroundColor Green
} else {
    Write-Host "[!] ACTION REQUIRED: Apply the out-of-band update to 10.0.7 immediately." -ForegroundColor Red
}

Remediation

To mitigate the risk posed by CVE-2026-40372, security teams must take immediate action:

  1. Apply the Out-of-Band Update: Microsoft has released fixed packages. Update all instances of ASP.NET Core to version 10.0.7 or later. This update supersedes all previous versions of the 10.0 branch.

  2. Update Vendor Advisory: Refer to the official Microsoft Security Update Guide for CVE-2026-40372 for the specific download links and installation instructions for your deployment model (Windows Hosting, Linux packages, or self-contained deployments).

  3. Search for Compromise: Before and after patching, review logs for evidence of the detection rules above. Specifically, look for w3wp.exe or dotnet.exe spawning cmd.exe or powershell.exe in the 30 days prior to the patch announcement. If found, assume the host is compromised and initiate incident response procedures.

  4. Isolate Vulnerable Systems: If immediate patching is not possible due to change management windows, restrict network access to the vulnerable ASP.NET Core applications (e.g., placing them behind a WAF with strict rules) and monitor closely for exploitation attempts.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoftcve-2026-40372asp.net-core

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action