Description

The ASP.NET application is using a weak or publicly known validation key to generate the Message Authentication Code (MAC) for ViewState. This exposes the application to ViewState tampering attacks. Due to the nature of ViewState, an attacker can exploit this weakness to perform a deserialization attack and potentially gain control over the application.
It is very important that the validation key remains secret. In this case, your application is using a weak or known validation key, and the scanner was able to successfully guess it.

Remediation

Use auto-generated validation keys by setting "AutoGenerate" in the web.config file. Alternatively, configure a long, cryptographically secure random validation key.

References

machineKey Element (ASP.NET Settings Schema)

Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net

Related Vulnerabilities

ASP.NET expired session IDs are not regenerated

Apache Spark Web UI Unauthorized Access Vulnerability

X-Content-Type-Options (XCTO) Not Implemented

JWT Signature is not Verified

Unprotected phpMyAdmin interface

Severity

Critical

Classification

CWE-321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Configuration Weak Credentials Default Credentials