Microsoft has issued a warning about attackers leveraging exposed ASP.NET machine keys to conduct ViewState code injection attacks and deploy malware.
According to Microsoft Threat Intelligence, some developers unintentionally use static ASP.NET validationKey and decryptionKey values—originally meant to safeguard ViewState from tampering and data exposure—found in public code documentation and repository platforms.
ViewState, a key component of ASP.NET Web Forms, maintains user session states across page reloads. If attackers obtain the corresponding machine key, they can manipulate it for malicious purposes, embedding a crafted Message Authentication Code (MAC) to inject harmful payloads.
Cybercriminals have been found using machine keys from publicly accessible sources in such injection attacks, crafting malicious ViewStates that get processed by ASP.NET Web Forms.
Once an attacker sends a malicious ViewState through a POST request, the targeted server’s ASP.NET runtime decrypts and validates the payload using the compromised machine key. This process loads the malicious code into memory and executes it, granting remote code execution (RCE) on the IIS web server. This access allows adversaries to deploy additional malware.
In a specific case observed in December 2024, an unidentified attacker used a publicly available machine key to compromise an IIS web server, deploying the Godzilla post-exploitation framework. This tool enables threat actors to execute malicious commands and inject shellcode into the targeted system.
Microsoft revealed that over 3,000 publicly exposed ASP.NET machine keys could be exploited in these attacks, which are categorized as ViewState code injection threats. Unlike previous attacks that relied on stolen or dark web-sold keys, these readily available keys pose an even greater risk, as they may have been unknowingly incorporated into development environments.
Microsoft’s Recommendations to Mitigate the Threat
To defend against such attacks, Microsoft advises developers to:
- Securely generate machine keys instead of using default or publicly available ones.
- Encrypt machineKey and connectionStrings elements to prevent unauthorized access to plaintext secrets.
- Upgrade applications to ASP.NET 4.8, enabling Antimalware Scan Interface (AMSI) for enhanced security.
- Implement Windows Server hardening techniques, such as attack surface reduction rules, to block web shell creation.
Additionally, Microsoft has outlined specific steps to remove or replace insecure ASP.NET keys in the web.config file using PowerShell or the IIS manager console. To discourage unsafe practices, the company has also removed machine key samples from its public documentation.
Microsoft further cautions that if an attacker has already exploited publicly exposed machine keys, simply rotating the keys will not eliminate potential backdoors or persistence mechanisms. A deeper investigation may be necessary. Web-facing servers, in particular, should be thoroughly examined, and if compromised, Microsoft recommends reformatting and reinstalling them offline to mitigate potential risks.