What is Acclaim USAHERDS?
USAHERDS (United States Animal Health Emergency Response and Diagnostic System) is a web-based livestock tracking and disease response system used by US state departments of agriculture to monitor livestock movement, investigate animal disease outbreaks, and coordinate emergency responses to agricultural health threats. USAHERDS is deployed in multiple US state government networks as part of their animal health infrastructure. Because it is deployed by state government agencies and integrates with state agricultural databases, USAHERDS represents a point of access to state government networks — making it an attractive target for threat actors seeking to establish persistence in government infrastructure.
Overview
CVE-2021-44207 is a hard-coded credentials vulnerability (CWE-798) in Acclaim Systems USAHERDS involving a fixed ASP.NET MachineKey embedded in the application. In ASP.NET web applications, the MachineKey is used to sign and validate ViewState (the serialized state of web form data) and encrypted cookies. When an attacker knows the MachineKey, they can craft malicious serialized .NET ViewState payloads that, when submitted to the application, trigger arbitrary code execution on the server via deserialization. Mandiant discovered that APT41 (a Chinese state-sponsored threat group) exploited this vulnerability to compromise multiple US state government networks. The same hardcoded MachineKey was present in all USAHERDS installations, meaning knowledge of the key from any single installation enabled attacks against all others.
Affected Versions
| Product | Vulnerable | Notes |
|---|---|---|
| Acclaim USAHERDS (all versions with hard-coded MachineKey) | Yes | Contact Acclaim Systems for mitigation |
Technical Details
ASP.NET MachineKey is a cryptographic key used to protect serialized application state:
- Root cause: Hard-coded credentials (CWE-798) — the ASP.NET MachineKey in USAHERDS is the same across all deployments (embedded in the application binary or configuration rather than being uniquely generated per installation)
- Exploitation mechanism: ASP.NET ViewState is a Base64-encoded serialized object submitted with web form requests. When the MachineKey is known, attackers use tools like ysoserial.net to generate malicious serialized payloads signed with the known key. Submitting this crafted ViewState triggers .NET deserialization of attacker-controlled objects, executing OS commands
- Attack Complexity: High — the attacker must know the MachineKey (obtainable from a single compromised USAHERDS installation or via source code analysis); this is the complexity factor reflected in the CVSS AC:H
- No authentication required — standard web form submissions carry ViewState; no login needed if ViewState validation is the attack vector
- Execution context: Code executes in the context of the IIS application pool identity running USAHERDS
Discovery
Discovered by Mandiant during incident response investigations of state government network intrusions attributed to APT41. Mandiant's March 2022 report on APT41 U.S. State Government attacks identified USAHERDS as one of the initial access vectors used in 2021 attacks against at least six US state governments.
Exploitation Context
APT41 (BARIUM/Winnti Group, assessed as a Chinese state-sponsored group) exploited CVE-2021-44207 as part of a broader campaign targeting US state governments in 2021, coinciding with COVID-19-related government data collection. The group used USAHERDS as an initial access vector to establish persistent presence in state government networks, then moved laterally to other systems. The shared hard-coded MachineKey across all USAHERDS deployments meant that APT41 could leverage a single knowledge of the key to attack any deployed instance.
Remediation
- Contact Acclaim Systems directly for mitigation guidance and updated versions of USAHERDS with a uniquely generated MachineKey per installation
- If immediate vendor mitigation is unavailable and the application cannot be updated, consider disabling or restricting internet access to USAHERDS
- Generate a unique MachineKey per installation by modifying
web.configto use a randomly generated key — this invalidates all existing sessions but removes the hard-coded key risk - Review IIS and Windows Event Logs for unusual process spawning from the IIS worker process that may indicate prior ViewState deserialization exploitation
- Consult Mandiant's APT41 US State Government report for specific indicators of compromise associated with this campaign
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-44207 |
| Vendor / Product | Acclaim Systems — USAHERDS |
| NVD Published | 2021-12-21 |
| NVD Last Modified | 2025-11-10 |
| CVSS 3.1 Score | 8.1 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-798 find similar ↗ |
| CISA KEV Added | 2024-12-23 |
| CISA KEV Deadline | 2025-01-13 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-12-21 | CVE published following Mandiant disclosure of APT41 exploitation |
| 2022-03 | Mandiant publishes detailed report: APT41 exploited USAHERDS across multiple US state government networks |
| 2024-12-23 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-01-13 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Mandiant — APT41 Targets US State Governments via USAHERDS | Security Research |
| NVD — CVE-2021-44207 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |