Infrastructure Patch Urgency

Microsoft pushed an emergency fix on April 22 for a critical ASP.NET Core flaw, while CISA on April 20 added eight actively exploited bugs to its federal patch list. (msrc.microsoft.com) (cisa.gov) ASP.NET Core is Microsoft’s web app framework, and the patched bug sits in its Data Protection system, the code that seals authentication cookies and other sensitive app data. Microsoft tracks the issue as CVE-2026-40372 and shipped the fix outside its normal Patch Tuesday cycle. (msrc.microsoft.com) (bleepingcomputer.com) Microsoft’s.NET team said the April 14 servicing release was 10.0.6 for.NET 10, and security researchers reported that the emergency follow-up is 10.0.7. Ars Technica reported the out-of-band patch also covers ASP.NET deployments on macOS and Linux, not just Windows servers. (devblogs.microsoft.com) (arstechnica.com) The practical risk is session forgery: if the seal on an app’s login cookie is weak, an attacker can fake identity and gain higher privileges. BleepingComputer reported Microsoft rated the flaw critical and said it could lead to privilege escalation on affected servers. (bleepingcomputer.com) (thehackernews.com) CISA’s April 20 update moved a separate set of eight flaws into the Known Exploited Vulnerabilities catalog, the U.S. government list for bugs already abused in real attacks. The additions span PaperCut, JetBrains TeamCity, Kentico Xperience, Quest KACE, Synacor Zimbra, and three Cisco Catalyst SD-WAN Manager issues. (cisa.gov) For federal civilian agencies, the catalog is not advisory language alone. CISA says Binding Operational Directive 22-01 requires remediation by the due dates attached to each entry, and the April 20 batch carries deadlines in late April and early May. (cisa.gov 1) (cisa.gov 2) Several of the newly listed products sit in central admin paths rather than on employee laptops. TeamCity handles software builds, KACE manages endpoints, Zimbra runs mail, and Cisco SD-WAN Manager controls network policy, so one weak point can expose many systems at once. (cisa.gov) CISA says the KEV catalog is the authoritative federal record of vulnerabilities exploited in the wild and urges private-sector organizations to use it in patch triage too. The agency also says automated vulnerability tools should flag KEV entries for priority handling. (cisa.gov 1) (cisa.gov 2) The overlap in this week’s guidance is operational: patch the internet-facing web stack fast, then move to the systems that issue builds, manage devices, route traffic, and store mail. Microsoft’s out-of-band release and CISA’s deadline-driven KEV update both compress the normal window for waiting on a routine maintenance cycle. (msrc.microsoft.com) (cisa.gov)