Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data.
