Summary: Microsoft has issued a warning about unsafe practices among developers using publicly available ASP.NET machine keys, which could allow attackers to execute malicious code via ViewState injection. Over 3,000 publicly disclosed keys have been identified, posing significant security risks. The company advises against using these keys and suggests measures to mitigate potential exploitation.
Affected: Software developers using ASP.NET
Keypoints :
- Publicly disclosed ASP.NET machine keys have been found to enable ViewState code injection attacks.
- The use of static keys can lead to unauthorized code execution on IIS web servers.
- Microsoft recommends checking existing machine keys against a list of compromised keys and stresses the importance of regular key rotation.
Source: https://thehackernews.com/2025/02/microsoft-identifies-3000-publicly.html