Microsoft has issued a warning to developers about a critical security risk: using ASP.NET machine keys that are publicly accessible. This vulnerability could allow attackers to compromise applications and execute malicious code.

You might be interested in: Android Update Fixes 47 Security Bugs

How Attackers Are Exploiting Public Machine Keys

Microsoft’s security team detected suspicious activity in December 2024. A hacker used a publicly available, static ASP.NET machine key to inject harmful code and spread the Godzilla post-exploitation framework. Upon further investigation, Microsoft discovered over 3,000 publicly exposed keys that could be used in ViewState injection attacks.

What Is ViewState and Why Is It a Security Risk?

ViewState is a feature in ASP.NET that helps keep webpage data consistent between user interactions. It encodes information in base64 and adds a hash using a machine authentication code (MAC) key to ensure the data hasn’t been tampered with.

However, if hackers get access to these machine keys, they can craft malicious ViewState requests that the system will recognize as legitimate. When the server processes these requests, the harmful code is decrypted and executed, allowing attackers to take full control of the IIS web server.

The Risk of Publicly Disclosed Keys

Microsoft warns that these public keys pose an even greater risk than stolen ones sold on the dark web. Many of these keys can be found in open-source code repositories and may have been unknowingly included in development projects.

Unlike stolen keys, which might require a hacker to pay or search for them, these public keys are readily available, making attacks easier to execute.

Steps to Secure Your Applications

To protect against these attacks, Microsoft advises developers to:

• Never use machine keys from public sources.
• Regularly update and rotate keys.
• Compare your machine keys against Microsoft’s list of exposed keys.
• Check for signs of persistence if you suspect a key has already been compromised.

Microsoft has already taken steps to remove sensitive information from its own documentation to prevent further exposure.

Another Security Concern: Kubernetes Policy Bypass

Alongside this ASP.NET risk, a new security issue has been found in Kubernetes. Cloud security firm Aqua revealed a flaw in OPA Gatekeeper, which could allow unauthorized users to bypass security policies and deploy unapproved container images.

Researchers Yakir Kadkoda and Assaf Morag found that this issue arises from the way Rego logic is written in the ConstraintTemplate file. If users enter values in the Constraint YAML file that don’t align with how the logic processes them, security policies can be bypassed entirely.

Staying Ahead of Cyber Threats

To minimize risk, developers and IT teams must stay proactive by regularly reviewing security configurations, avoiding publicly available credentials, and applying Microsoft’s latest security recommendations. Keeping systems secure requires constant vigilance—and awareness is the first step to preventing these types of attacks.