Security Affairs
Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Attackers used a public ASP.NET machine to conduct ViewState code injection attacks

Microsoft researchers warn that threat actors are delivering the Godzilla framework using a static ASP.NET machine. In December 2024, Microsoft Threat Intelligence researchers spotted a threat actor using a public ASP.NET machine key to deploy Godzilla malware, exploiting insecure key usage in code. Microsoft has since found over 3,000 public keys that could be used […]

ASP.NET machine key ViewState code injection attacks

Microsoft researchers warn that threat actors are delivering the Godzilla framework using a static ASP.NET machine.

In December 2024, Microsoft Threat Intelligence researchers spotted a threat actor using a public ASP.NET machine key to deploy Godzilla malware, exploiting insecure key usage in code.

Microsoft has since found over 3,000 public keys that could be used to carry out ViewState code injection attacks. Unlike previously known ViewState code injection attacks that used compromised or stolen keys that are often sold on dark web forums, the recent findings show that publicly disclosed keys pose a higher risk because are used in development code.

ViewState allows ASP.NET Web Forms to preserve page and control state between postbacks. ViewState data is stored in a hidden field on the page and is Base64 encoded. The ASP.NET page framework uses machine keys to protect ViewState against tampering and information disclosure.

Stolen machine keys allow attackers to craft malicious ViewState data, enabling remote code execution on IIS servers when processed by ASP.NET Runtime.

“If these keys are stolen or made accessible to threat actors, these threat actors can craft a malicious ViewState using the stolen keys and send it to the website via a POST request. When the request is processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used.” reads the report published by Microsoft. “The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS web server.”

ASP.NET machine key ViewState code injection attacks

Microsoft recommends securely generating machine keys, avoiding default or public keys, encrypting secrets, upgrading to ASP.NET 4.8, and hardening servers.

The company provided steps to remove or replace ASP.NET keys and removed key samples from documentation to prevent insecure practices.

“If successful exploitation of publicly disclosed keys has occurred, rotating machine keys will not sufficiently address possible backdoors or persistence methods established by a threat actor or other post-exploitation activity, and additional investigation may be warranted.” concludes the report. “In particular, web-facing servers should be fully investigated and strongly considered for re-formatting and re-installation in an offline medium in cases where publicly disclosed keys have been identified, as these servers are most at risk of possible exploitation.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ASP.NET machine)