Once again deserialization and RCE through an unprotected viewstate, its kinda silly that this sort of issue continues to persist. The normal _VIEWSTATE field is used by some .NET applications to contain a ton of information about the current view state. Its rather large, and attackers tampering with it was a very common attack that has since been mitigated through the use of integrity verification. Unfortunately, it continues to persist as some applications, to make the viewstate smaller did their own wrapping around it to enable it to be gzipped to save data.

Those customized implementations did not get the “update” that introduced such fixes and so continue to serve up insecure viewstates ready for attackers to abuse.