Microsoft Issues Emergency Out-of-Band Patches for Critical ASP.NET Core Privilege Escalation

Microsoft has released out-of-band security updates to address a critical privilege escalation vulnerability in ASP.NET Core. The emergency, off-cycle release signals the issue is considered serious enough that it could not wait for the next Patch Tuesday cycle.

Any application or service running on the .NET runtime stack may be affected. Organizations running ASP.NET Core workloads — including self-hosted web APIs, Azure App Service deployments, and containerized .NET services — should apply the OOB patches without delay. Privilege escalation flaws in web frameworks are attractive post-exploitation targets, enabling attackers to move from limited-privilege contexts to broader system access. Monitor the MSRC advisory for CVE assignment and exploitation status.