Microsoft has issued a warning about a new wave of malware attacks exploiting ViewState code injection by leveraging publicly available ASP.NET machine keys.

Cybercriminals are using static validationKey and decryptionKey values found online to inject malicious code into vulnerable IIS web servers, potentially leading to remote code execution.

According to Microsoft Threat Intelligence, some developers unknowingly use machine keys from documentation and code repositories in their applications. However, threat actors also leverage these publicly disclosed keys to craft malicious ViewStates, which ASP.NET Web Forms use to manage page states. When the compromised ViewState is sent via POST requests, the targeted ASP.NET Runtime validates it using the correct key, loads it into memory, and executes the malicious payload.


Microsoft has identified over 3,000 publicly available machine keys that could be used in such attacks. Unlike previous ViewState injection exploits that relied on stolen or sold keys, these publicly accessible keys pose a greater risk as they may have been unintentionally incorporated into legitimate software.

To prevent these attacks, Microsoft advises developers to:

  • Generate machine keys securely instead of using defaults or those found online.
  • Encrypt sensitive elements like machineKey and connectionStrings in web.config.
  • Upgrade to ASP.NET 4.8 to enable Antimalware Scan Interface (AMSI) protection.
  • Harden Windows Servers using attack surface reduction rules like blocking web shell creation.

Microsoft has also removed exposed key samples from its documentation and guided replacing insecure ASP.NET keys using PowerShell or the IIS manager console. Additionally, the company warns that if an attacker has successfully exploited a publicly available key, simply rotating the key may not be enough, as backdoors and persistence mechanisms could still be present.

READ
Microsoft Restores Popular VSCode Material Theme Extensions After Security Misunderstanding

For web-facing servers, Microsoft strongly recommends a full forensic investigation and, in severe cases, reformatting and reinstalling the system to eliminate potential compromises.