IT & Tech 07.05.2026

Open Door in the Mid-Market Bank’

5 min read

A critical vulnerability in the most widely used .NET component allows attackers to escalate privileges without logging in. Patches have been available for a long time, yet mid-sized companies relying on external hosts or ISVs have no control over the update process.

Key Takeaways

Exploitable remotely without authentication: CVE-2026-40372 is network-based, not local. Any company running ASP.NET Core in a customer portal, partner API, or publicly accessible B2B application faces a direct risk, not just an inventory concern.
Mid-sized companies are affected more than expected: Industry-specific software, accounting frontends, logistics tracking apps, and service portals in many firms run on .NET 6, 7, or 8. Often hosted by a provider that does not automatically track patch status.
Patch is available—distribution is the issue: Microsoft provides updates for .NET 6 LTS, .NET 7 (out of support since May 2024), and .NET 8 LTS. Companies still on .NET 7 officially receive no fix—the most challenging scenario for mid-sized firms.

What the vulnerability actually does

What is CVE-2026-40372? CVE-2026-40372 is a critical flaw in ASP.NET Core where cryptographic signature verification is inadequately implemented. Attackers can send manipulated requests with forged or bypassed signatures to escalate permissions—without prior authentication. Microsoft rates the flaw CVSS 9.1, marking it critical. It was published in the NVD on 21 April 2026 and affects all currently supported .NET versions.

The vulnerable component sits in the authentication and token verification layer. Applications using JWT tokens, signed cookies, or OAuth flows are prime targets. In practice, virtually every ASP.NET Core application with login functionality is exposed. The attack can be executed over the public internet as soon as the endpoint is reachable.

CVSS 9.1

Microsoft’s own rating of CVE-2026-40372 – critical, network-exploitable without authentication.

Source: NVD, 21.04.2026

CORE STATS

62 percent

in AI governance

04.2026

CVE-2026-40372 classified critical: a signature verification flaw

Why SMEs are more affected than the statistics suggest

Cloud market statistics show ASP.NET as a smaller share compared to Java or Node. In DACH mid-market practice, however, the picture looks different. Three common scenarios emerge.

First: industry-specific software built on .NET. Many solutions for trades, logistics, healthcare or mechanical engineering grew as Windows stacks and added a web front-end with ASP.NET Core. Often, an IT service provider or reseller hosts the application. If you don’t actively request the patch status, you’ll get the update at best during the next maintenance window.

Second: in-house customer portals. Most mid-market portals for ordering, status tracking or service tickets are built with .NET 6 or 8 because .NET expertise exists in-house. These custom developments are patched centrally less often than off-the-shelf standard software. Without a clearly defined owner for framework updates, you have an open flank here.

Third: legacy on .NET 7. Microsoft ended support for .NET 7 in May 2024. Anyone still running it won’t receive an official patch for CVE-2026-40372. The reality in many companies: the upgrade to .NET 8 was postponed because other priorities took precedence. These stacks now need a deliberate decision—migration or compensating controls such as a web application firewall with signature-validation rules.

„On 21 April 2026 Microsoft classified CVE-2026-40372 as critical: a signature-verification flaw in ASP.NET Core allows unauthenticated attackers to escalate privileges across the network.“

Three steps to take within the next 14 days

First: inventory. Identify every application that uses ASP.NET Core. Contact your IT service provider and ask which .NET version is running in production and whether the CVE-2026-40372 patch has been applied. If you host in-house, run dotnet –version on the server.

Second: roll out patches in priority order. Start with public-facing apps—everything reachable via external login. Follow with internal-only apps. For stacks stuck on .NET 7, create a mitigation plan: trigger migration to .NET 8 or deploy a WAF rule as an interim measure.

Third: check logging. Verify whether your applications record authentication anomalies. If an attacker attempts a token-verification bypass, that event should appear in the application log. Many mid-market apps log successful logins but miss failed verification attempts—this is the telemetry you now need.

Frequently Asked Questions

Which .NET versions are affected by CVE-2026-40372?

Affected versions are ASP.NET Core 6.0, 7.0, and 8.0. Microsoft has released patches for the LTS (Long-Term Support) versions 6 and 8. .NET 7 reached end-of-support in May 2024, so no official fix is available. If you’re still relying on .NET 7, migration or mitigation is required.

Do we need the patch if our application is only accessible internally?

Yes, though with lower priority. Internal applications remain reachable for attackers who already have a foothold in your network. CVE-2026-40372 is network-based, which includes internal networks. Prioritize public-facing systems first, internal-only systems next—both within a two-week window.

Is a Web Application Firewall sufficient as a temporary measure?

Only as a stopgap. A WAF with rules for signature-validation anomalies can detect attacks where the signature appears in headers or the request body. However, it won’t catch deeper verification paths in application logic. Patching remains the cleanest solution.

What if our IT service provider isn’t responding?

Send a written request specifying a deadline for patch deployment. For critical applications, escalate to the provider’s executive leadership. Review your contract for SLAs—most standard agreements require patching critical vulnerabilities within seven to 30 days.

What indicators suggest an active attack?

Watch for unusual authentication logs: repeated 401 responses followed by a 200 on the same endpoint. Tokens that look structurally valid but originate from unknown issuers. Requests with unusually short token lifetimes. If you use SIEM or log aggregation, set up alerts—look for patterns, not isolated events.

More from the MBF Media Network

Source of cover image: Pexels / Pixabay

Also available in

Français Español Deutsch

Evernine Media GmbH

Tobias Massow ist Geschäftsführer der Evernine Media GmbH und Herausgeber von MyBusinessFuture. Er verantwortet die strategische Ausrichtung des Magazins und des gesamten MBF Media Netzwerks mit vier B2B-Fachmagazinen für IT-Entscheider im deutschsprachigen Raum.

Most read posts

Digital Business & Future 06.12.2020

NINE brackets becomes official partner of Actindo

The two Munich-based companies NINE brackets and Actindo have entered into a partnership. The aim of ... »

Life Sciences & Health Care 25.11.2020

Study: Fitness wristbands could detect COVID-19 hotspots

Fitness wristbands have established themselves. Measuring your heart rate, the number of steps and kilometres ... »

Our Experts & Partners