What is the role of ViewState deserialization in exploiting Exchange file read/write permissions?

In Exchange attacks where file read/write permissions are obtained (as covered in Penetration Techniques - From Exchange File Read/Write Permissions to Command Execution), modifying web.config to set a known machineKey allows attackers to craft a malicious ViewState. When the server deserializes this ViewState using ObjectStateFormatter, it executes attacker-controlled code, bypassing the need for user credentials.