What Happened
Microsoft has discovered that .NET 10 — the latest version of its widely-used application development framework, released for general availability in November 2025 — shipped with a flaw that causes the cryptographic keys protecting web application login sessions to be written to insecure locations on Linux servers. This security regression has been present in every version of .NET 10 since its release.
The keys in question protect everything that relies on session security in an ASP.NET Core web application: authentication cookies that keep users logged in, anti-fraud tokens that validate web form submissions, and encrypted data passed between pages. An attacker who obtains these keys can impersonate any user in the application — including administrators — without knowing their password, and without triggering standard authentication monitoring.
Microsoft released an emergency patch on 21–22 April 2026 (.NET 10.0.7). However, because the flaw has been present since November 2025, any application running .NET 10 on Linux may have had its session keys exposed for up to five months.
Business Impact
The operational risk is immediate for any organisation running web applications, internal portals, or API services built on .NET 10 deployed on Linux infrastructure — including containerised workloads on AWS, Azure, Google Cloud, and Kubernetes clusters.
Key business risks:
- Unauthorised access without credentials: Attackers holding leaked session keys can access any .NET 10 application as any user, including administrators, bypassing multi-factor authentication entirely
- Customer-facing application compromise: Consumer-facing applications using .NET 10 may be vulnerable to account takeover at scale
- Five months of retrospective exposure: Applications that have been running .NET 10 on Linux since November 2025 may already have had keys harvested — this is not a forward-looking risk only
- Compliance exposure: Applications handling regulated data under HIPAA, PCI DSS, or financial regulations that operated on affected infrastructure will require breach assessment
Board-Ready Summary
Any web application your organisation runs on Microsoft’s latest development framework (.NET 10) on Linux servers has had its session security keys potentially exposed since November 2025. If those keys were obtained by an attacker, they can log in to those applications as any employee or customer — including administrators — without a password and without triggering login alerts.
Your technology team must apply an emergency patch and replace all session security keys on affected systems today. This requires a brief period of forced re-authentication for all users of affected applications — plan for this operational interruption.
Recommended Actions
Immediate — within 24 hours:
- Identify all .NET 10 applications deployed on Linux in your environment, including containerised workloads on Kubernetes and cloud container platforms
- Apply the .NET 10.0.7 patch to all affected deployments; pull updated container base images and trigger rolling restarts in containerised environments
- Rotate all DataProtection encryption keys after patching — this invalidates existing session cookies and forces re-authentication; schedule this with application owners to minimise operational impact
Within 48 hours:
- Search centralised log platforms (Splunk, Elastic, Datadog, Azure Monitor) for DataProtection key XML patterns that may have been emitted to container stdout since November 2025
- Assess whether any affected applications handle regulated data that would trigger breach notification obligations if key exposure is confirmed
Ongoing:
- Establish a process to evaluate security implications of major framework version upgrades before production deployment; .NET 10’s regression persisted because security-specific regression testing was not part of the upgrade validation