Cyber Threat Brief — April 27 2026
⚠️ This report is AI-generated. Always validate findings.
1. ASP.NET Core DataProtection HMAC Bypass — CVE-2026-40372
TL;DR: A CVSS 9.1 regression in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 discards HMAC validation on protected payloads, letting attackers forge authentication cookies and escalate to SYSTEM. Emergency OOB patch 10.0.7 released April 22; key ring rotation required if endpoints were exposed during the vulnerable window.
What’s New:
- HMAC in
CalculateAndValidateMaccomputed over wrong payload bytes and discarded — integrity guarantees completely broken - Padding oracle attack path confirmed: repeated requests can forge valid DataProtection payloads (auth cookies, antiforgery tokens)
- Affects .NET 10 on Linux/macOS (non-Windows); introduced as regression in 10.0.6 (April 14 Patch Tuesday)
- Tokens issued during vulnerable window survive upgrade — attacker-forged sessions remain valid until key ring is rotated
- Duende Software published post-patch rotation guidance for IdentityServer deployments
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 | Vulnerable NuGet package | T1190 | Asset inventory / SCA | Upgrade to 10.0.7, rotate key ring |
Forged .AspNetCore.Cookies values | Auth bypass artifact | T1550.004 | WAF / App logs | Hunt for anomalous session creation patterns during April 14–22 window |
CalculateAndValidateMac HMAC skip | Crypto weakness | T1557 | N/A (code-level) | Verify package version in deployed containers |
| Anomalous admin-tier sessions on Linux/.NET 10 apps | Post-exploitation indicator | T1078.003 | App auth logs / SIEM | Audit privileged sessions created April 14–22 |
| Password reset / API key tokens issued during window | Persistent access | T1098 | App audit logs | Invalidate all tokens issued during vulnerable period |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No coverage for DataProtection cookie forgery or .NET auth anomalies |
| Elastic | None | No coverage for forged ASP.NET Core auth tokens |
| Sigma | None | No rule for anomalous .NET Core authentication patterns |
Sources: BleepingComputer · THN · Microsoft Advisory · Duende Rotation Guide · SOCPrime Detection
Status Updates
- CVE-2026-34621 (Adobe Acrobat Reader): FCEB federal deadline TODAY April 27. Prototype pollution RCE via malicious PDF — patch to DC 26.001.21411 or Acrobat 2024 24.001.30362. Exploited ITW since Nov 2025. Original brief.
- RedSun/UnDefend (Windows Defender): Still unpatched. BlueHammer (CVE-2026-33825) in CISA KEV, deadline May 7. Continue hunting
TieringEngineService.exereplacement and Defender signature update failures. Original brief. - CVE-2024-7399/57726/57728/CVE-2025-29635 (Samsung/SimpleHelp/D-Link KEVs): Federal deadline May 15. No new artifacts. Mirai tuxnokill and DragonForce ransomware chains remain active. Original brief.
- GlassWorm Phase 4 (Open VSX): No new activations since April 26 coverage. Continue auditing IDE extension directories for Zig
.nodebinaries. Original brief. - CVE-2026-33626 (LMDeploy SSRF): Ongoing exploitation. Upgrade to 0.12.3. Hunt IMDS calls from VLM containers. Original brief.