What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Vulnerability

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/11/2026

The Cryptography Collapse: CVE-2026-40372 Breaks ASP.NET Core Token Trust on Non-Windows Systems

TL;DR

Microsoft released an emergency out-of-band patch today for CVE-2026-40372, a critical (CVSS 9.1) vulnerability in ASP.NET Core's DataProtection library. Improper cryptographic signature verification on non-Windows systems allows attackers to forge authentication tokens and escalate to SYSTEM privileges. Organizations running ASP.NET Core on Linux, macOS, or cloud platforms must patch immediately.

What Happened

At approximately 7:50 UTC (11:50 AM Dubai time), Microsoft disclosed CVE-2026-40372—a critical vulnerability in the ASP.NET Core DataProtection API that undermines token validation on any non-Windows platform.

The flaw resides in the cryptographic signature verification logic used to protect sensitive payloads (authentication tokens, session data, encrypted credentials). When DataProtection verifies an inbound token, it should cryptographically confirm that the token hasn't been tampered with. Instead, the vulnerability allows an attacker to forge valid-looking tokens that pass verification checks, effectively bypassing the entire authentication trust boundary.

Microsoft's emergency patch was released out-of-band—meaning outside the normal monthly security update cycle—signaling the severity and immediacy of the threat.

Technical Details

The Vulnerability Anatomy

The DataProtection API is ASP.NET Core's standard mechanism for:

Encrypting and signing authentication cookies
Protecting temporary tokens (password reset, email confirmation)
Securing anti-forgery tokens (CSRF protection)
Encrypting sensitive configuration data at rest

CVE-2026-40372 breaks the signature verification step. An attacker can:

1. Craft a malicious payload (e.g., an authentication token claiming SYSTEM privileges)

2. Bypass the cryptographic signature check (due to the flaw)

3. Submit the forged token to the vulnerable application

4. Achieve authentication bypass or privilege escalation

Why Non-Windows Only?

The vulnerability is specific to non-Windows deployments (Linux, macOS, cloud platforms like Azure Container Instances, ECS, Kubernetes). Windows systems use different cryptographic providers and are not impacted.

Attack Vector

Network: Yes, remote
Authentication Required: No—attackers can forge tokens without prior access
User Interaction: None
Complexity: Low—no sophisticated exploit needed
Impact: Confidentiality, Integrity, Availability all compromised

An attacker can:

Escalate unprivileged user sessions to administrators
Impersonate any user in the system
Steal encrypted session data
Modify user claims in JWT tokens
Bypass MFA entirely (if the token is used for post-authentication actions)

Lyrie Assessment: Why CISOs Must Act Within Hours

1. Widespread Exposure

ASP.NET Core powers millions of web applications. Organizations running:

Cloud-hosted APIs (.NET on Docker, Kubernetes, ECS)
Microservices on Linux/macOS
Hybrid deployments with some services on non-Windows

...are all vulnerable today.

2. Trivial Exploitation

No sophisticated tooling required. A teenager with basic knowledge of token formats can construct a forged token in minutes. Given the CVSS 9.1 rating and out-of-band patch timeline, expect proof-of-concept exploits in security forums within 24 hours.

3. Authentication as the Perimeter

In a post-zero-trust world, authentication tokens ARE your perimeter. If attackers can forge tokens, they bypass network segmentation, conditional access policies, and risk-based authentication entirely. This flaw touches the foundation of modern identity defense.

4. No Telemetry of Exploitation

Forged tokens that pass verification won't trigger anomaly detection. Your SOC won't see a failed authentication attempt—it will see a valid login from the attacker's location, running as SYSTEM. By the time you detect lateral movement downstream, the attacker has already exfiltrated credentials and planted persistence.

Recommended Actions

Immediate (Next 24 Hours)

1. Identify ASP.NET Core deployments on non-Windows

   Docker images running mcr.microsoft.com/dotnet/aspnet:*
   Kubernetes pods with .NET runtime on Linux node selectors
   Azure App Service on Linux / Container Instances

2. Patch in this order:

- Production web APIs and authentication services (highest priority)

- Internal services that accept DataProtection tokens

- Development/staging environments

3. Check patch status:

- Consult Microsoft Security Update Guide

- Verify ASP.NET Core 6.0, 7.0, 8.0 patch availability

- Some frameworks (ASP.NET 5, older versions) may not get patches—plan migration

Short-Term (48-72 Hours)

4. Audit token issuance logs for the past 48 hours

- Look for authentication events followed by privilege escalation

- Search for tokens with mismatched user claims vs. activity (e.g., admin token from unexpected IP)

- Run threat hunt for lateral movement patterns post-auth

5. Rotate all authentication secrets

- Application encryption keys (if stored in environment)

- Session signing keys

- JWT secrets used by this service

6. Invalidate long-lived tokens

- Force re-authentication for sessions older than 4 hours

- Reduce token TTL permanently as compensating control

Long-Term

7. Add token validation hardening

- Implement secondary validation layer (e.g., check token against session store)

- Log all DataProtection verification failures

- Alert on unusual claims in tokens (e.g., SYSTEM user from non-admin action)

8. Move to managed identity (Azure)

- Replace DataProtection tokens with Azure Managed Identity where possible

- Reduces exposure of crypto keys in application code

Sources

1. Microsoft Security Advisory - CVE-2026-40372 (MSN)

2. Ayi NEDJIMI Consultants - CVE-2026-40372 Tracking (French security advisory)

Lyrie.ai Cyber Research Division

Lyrie Verdict

Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.

originals

The Agentic Framework Blind Spot: Why Your EDR Can't See What Your AI Agent Is Doing

4 min read · 0 sources