According to Microsoft, the root cause of this vulnerability is the widespread insecure practice of developers incorporating publicly shared ASP.NET machine keys found in documentation and code repositories. These keys, which are intended to secure ASP.NET’s ViewState mechanism, can be exploited to craft malicious ViewState payloads that grant remote code execution on IIS (Internet Information Services) servers.
Unlike previous ViewState attacks that relied on stolen or compromised keys sold on dark web forums, these publicly disclosed keys pose an even greater risk due to their accessibility across multiple sources. Microsoft has urged developers to stop using static, publicly shared keys and to rotate existing ones regularly.
Security experts at Microsoft have released a GitHub repository containing hash values for known exposed keys and have provided a script to help organizations scan their networks for vulnerabilities. Additionally, Microsoft Defender for Endpoint now includes an alert labeled “Publicly disclosed ASP.NET machine key” to assist in threat detection.
With the scale of exposure still unclear, Microsoft is calling on developers and IT administrators to tighten security hygiene and prevent these keys from being misused as a tool for cyber intrusions. Organizations are strongly advised to audit their systems, update their security practices, and remove any hardcoded keys from public repositories to mitigate potential risks.
Source: Cybersecurity Dive
The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.