Vulnerability Management , Patch/Configuration Management Microsoft patches critical ASP.NET Core privilege escalation vulnerability April 23, 2026 Share By SC Staff (Adobe Stock) Microsoft has released out-of-band security updates to address a critical privilege escalation vulnerability in ASP.NET Core. The flaw, tracked as CVE-2026-40372, affects the ASP.NET Core Data Protection cryptographic APIs and could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies, as reported by Bleeping Computer. The vulnerability stems from a regression in specific versions of the Microsoft.AspNetCore.DataProtection NuGet packages. This regression causes the managed authenticated encryptor to incorrectly compute HMAC validation tags, potentially allowing attackers to forge payloads that bypass DataProtection's authenticity checks. Successful exploitation could enable attackers to decrypt protected payloads in authentication cookies, antiforgery tokens, and other sensitive data. While the vulnerability does not impact system availability, it could allow attackers to disclose files, modify data, and potentially issue legitimately-signed tokens to themselves if they authenticate as a privileged user during the vulnerable window. Microsoft advises updating the Microsoft.AspNetCore.DataProtection package to version 10.0.7 and redeploying applications. Source: Bleeping Computer SC Staff Related Data Security Apple patches iPhone notification bug after reports of deleted data recovery SC Staff April 23, 2026 The vulnerability, identified as CVE-2026-28950, was patched on April 22, 2026, in iOS 26.4.2 and iPadOS 26.4.2, as well as in iOS 18.7.8 and iPadOS 18.7.8. Vulnerability Management Critical Microsoft vulnerabilities surge as total flaw prevalence declines SC Staff April 22, 2026 A BeyondTrust report found a twofold increase in critical flaws in Microsoft software despite a 6% drop in total vulnerabilities to 1,273 this year, indicating that fewer but more severe security issues are being discovered, reports HackRead. Vulnerability Management Over 6,400 Apache ActiveMQ servers at risk of ongoing attacks SC Staff April 22, 2026 Active intrusions exploiting the high-severity Apache ActiveMQ code injection flaw, tracked as CVE-2026-34197, could compromise 6,476 internet-exposed instances of the widely used open-source Java-based message broker around the world, reports BleepingComputer. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds