CVE-2026-40372
Published: 21 April 2026
Summary
CVE-2026-40372 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Microsoft Asp.Net Core. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40372 is an improper verification of cryptographic signature vulnerability (CWE-347) affecting ASP.NET Core. Published on 2026-04-21T20:16:59.133, it enables an unauthorized attacker to elevate privileges over a network and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts.
The vulnerability can be exploited remotely by any unauthorized attacker (PR:N) with low attack complexity (AC:L) and no user interaction (UI:N) required. Exploitation over the network (AV:N) allows privilege elevation without affecting availability, but with significant compromise to data confidentiality and integrity under an unchanged scope (S:U).
Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24249
Vulnerability details
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote network privilege escalation vulnerability in ASP.NET Core due to improper cryptographic signature verification, directly enabling exploitation of public-facing applications for initial access/priv esc (T1190) and exploitation for privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic integrity verification for software, firmware, and information, directly mitigating the improper signature verification flaw in ASP.NET Core that enables privilege escalation.
Mandates implementation of cryptographic mechanisms to protect information integrity and authenticity, addressing the core cryptographic signature verification failure exploited remotely.
Ensures timely flaw remediation through identification, reporting, and patching, critical for correcting the specific ASP.NET Core signature verification vulnerability per the MSRC advisory.