Microsoft’s threat intelligence team has identified a significant security vulnerability involving developers using publicly available ASP.NET machine keys in their applications. In December 2024, the team detected unauthorized activity where threat actors exploited these public keys to inject malicious code and deploy the Godzilla post-exploitation framework.

The company has discovered over 3,000 exposed keys that could be vulnerable to ViewState code injection attacks. Unlike previous attacks using stolen keys from dark web sources, these publicly accessible keys present a greater risk due to their widespread availability in code repositories and potential integration into development code.

ViewState, an ASP.NET framework feature that preserves page and control values, typically stores encoded data in hidden fields with a machine authentication code (MAC) key hash for security. However, when these keys become publicly accessible, attackers can craft malicious ViewState requests to execute arbitrary code on targeted servers.

Key Security Implications:
– Successful exploitation enables remote code execution on IIS web servers
– Simply rotating compromised keys may not prevent attacks if persistence is established
– Over 3,000 vulnerable keys identified in public repositories

Microsoft’s Recommendations:
1. Avoid copying keys from public sources
2. Implement regular key rotation practices
3. Verify existing machine keys against Microsoft’s provided hash value list

The company has already removed key artifacts from its documentation to enhance security. This disclosure coincides with Aqua’s revelation of an OPA Gatekeeper bypass vulnerability affecting Kubernetes environments, highlighting the broader importance of secure key management in modern infrastructure.