CVE-2026-5426 — KnowledgeDeliver Exploited as a Zero-Day via ViewState Deserialization
Summary
CVE-2026-5426 lets an unauthenticated attacker achieve OS-level remote code execution (RCE) on any internet-facing KnowledgeDeliver instance with a single HTTP request. The root cause is not a code bug but a dangerous misconfiguration: installations deployed before 2026-02-24 shipped with a single, identical, hardcoded ASP.NET machineKey in the vendor-provided web.config. Anyone holding that key (extracted from any one deployment) can forge a malicious ViewState that attacks every other deployment.
The flaw was exploited as a zero-day starting in late 2025. In Mandiant's investigation, the attacker did not stop at RCE: they deployed the in-memory BLUEBEAM (Godzilla) web shell inside the IIS worker process, tampered with an application JavaScript file to trick users into installing a fake "security authentication plugin", and then delivered Cobalt Strike BEACON to visitors' workstations.
Who is affected: organisations (especially in Japan) running KnowledgeDeliver as their e-learning/LMS platform, particularly older, internet-facing installs. One priority action: immediately rotate the machineKey to a unique, cryptographically strong value per instance — the only way to invalidate the leaked shared secret.
Technical Background
| CVE | CVE-2026-5426 |
| Product | KnowledgeDeliver — LMS by Digital Knowledge (common in Japan) |
| CWE | CWE-502 (Deserialization of Untrusted Data), CWE-798 (Use of Hard-coded Credentials) |
| CVSS 3.1 (Mandiant) | AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (corresponds to base score 9.0 — Critical) |
| Conditions | Pre-2026-02-24 install with the default machineKey unchanged; application reachable from the internet |
| Exploitation | Unauthenticated RCE; exploited as a zero-day since late 2025 |
| Discovered by | Takahiro Sugiyama, Peter Revelant (Mandiant) |
KnowledgeDeliver is a Learning Management System (LMS). Installations deployed before 2026-02-24 relied on a standardized vendor-provided web.config containing a hardcoded machineKey pair:
<machineKey decryptionKey="<REDACTED>" validationKey="<REDACTED>" />
In ASP.NET, the machineKey is used to encrypt and sign data, including ViewState. Because the key pair was identical across independent customer environments, an attacker who obtained the keys from one deployment could compromise any other internet-facing KnowledgeDeliver instance. This is the classic combination of CWE-798 (hardcoded/shared secret) and CWE-502 (deserialization of untrusted data).
Exploitation Mechanism
ViewState is the ASP.NET mechanism that persists page state across postbacks. With the machineKey known, an attacker can craft a validly signed malicious ViewState payload, send it via the __VIEWSTATE HTTP parameter, and make the server deserialize it — yielding OS-level code execution.
flowchart TD
A["Attacker obtains machineKey<br/>(from shared web.config)"] --> B["Forge malicious ViewState<br/>signed with valid machineKey"]
B --> C["Send via __VIEWSTATE parameter<br/>in HTTP request"]
C --> D["ASP.NET server deserializes<br/>(CWE-502) → OS-level RCE"]
D --> E["Executes inside IIS worker<br/>w3wp.exe"]
E --> F["Deploy post-exploitation"]
This technique follows the same pattern Mandiant previously documented in the Sitecore ViewState deserialization zero-day, and in Microsoft's (Feb 2025) report on attackers abusing publicly disclosed/leaked ASP.NET machine keys for ViewState code injection and Godzilla post-exploitation. The shared lesson: the machine key must stay unique and secret — one leaked key can compromise an entire ecosystem of installations.
Post-Exploitation Activity
flowchart LR
A["RCE via ViewState"] --> B["BLUEBEAM / Godzilla<br/>in-memory web shell in w3wp.exe"]
B --> C["icacls grants 'Everyone' full access<br/>to the web app directory"]
C --> D["Modify application .js file"]
D --> E["Show fake security alert<br/>'install authentication plugin'"]
D --> F["Silently load malicious script<br/>from attacker domain"]
F --> G["User downloads fake installer"]
G --> H["Workstation infected with<br/>Cobalt Strike BEACON"]
BLUEBEAM (Godzilla) web shell. The attacker deployed a .NET web shell that runs entirely in memory inside the IIS worker process (w3wp.exe), making it hard to detect via traditional file-based scanning. It receives commands and payloads via encrypted data in HTTP POST bodies. The use of BLUEBEAM is consistent with Microsoft's reporting on machine-key abuse campaigns.
File tampering.
- Permission modification: used
icaclsto grant "Everyone" full access to the web application directory. - JavaScript tampering: injected code into an application JS file to (1) display a fake security alert prompting users to install a "security authentication plugin", and (2) silently load a malicious script from an attacker-controlled domain. Cobalt Strike infection. The remote script convinced users to download a fake installer, infecting workstations with Cobalt Strike BEACON. Notably, the payload was encrypted with a key named after the victim organisation — indicating the attacker prepared a payload specifically tailored to the target.
In-the-Wild & Timeline
The flaw was exploited as a zero-day before any process fix existed. Mandiant uncovered it during a late-2025 incident response on a compromised KnowledgeDeliver web server.
| Date | Event |
|---|---|
| Late 2025 | Mandiant IR on a compromised KnowledgeDeliver server (zero-day exploitation) |
| 2026-01-19 | Mandiant reports the issue to Digital Knowledge |
| 2026-02-24 | Digital Knowledge implements an updated deployment procedure (keys no longer pre-shared) |
| 2026-03-18 | Disclosure discussion |
| 2026-04-16 | Mandiant publishes advisory MNDT-2026-0009 |
| 2026-05-25 | GTIG/Mandiant publish the detailed write-up |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Use |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | ViewState deserialization on an internet-facing LMS |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | cmd.exe /c ... from w3wp.exe |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | powershell.exe from w3wp.exe |
| Persistence | Server Software Component: Web Shell | T1505.003 | BLUEBEAM/Godzilla in IIS |
| Defense Evasion | Reflective Code Loading | T1620 | In-memory web shell in w3wp.exe |
| Defense Evasion | File and Directory Permissions Modification | T1222.001 | icacls granting "Everyone" full access |
| Discovery | System Owner/User Discovery | T1033 | whoami |
| Initial Access (end users) | Drive-by Compromise | T1189 | JS tamper → fake alert/installer |
| Execution (end users) | User Execution: Malicious File | T1204.002 | Users download & run the fake installer |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | Godzilla over HTTP POST; BEACON |
| Command and Control | Ingress Tool Transfer | T1105 | Pulling malicious script/installer |
Detection
1) Application Event Log — Event ID 1316 (ViewState)
Monitor the Windows Application log for Event ID 1316 from source ASP.NET 4.0.30319.0 (or similar):
# Failed attempt (wrong key) — may indicate an attack attempt with an incorrect key:
Event code: 4009 -++- Viewstate verification failed.
Reason: The viewstate supplied failed integrity check.
# "Success" (integrity passed) — deserialization attempted, may have executed:
Event code: 4009 -++- Viewstate verification failed.
Reason: Viewstate was invalid.
Mandiant decrypted payload strings recorded in the event log using the server's machine keys and recovered a payload related to the BLUEBEAM web shell.
2) Suspicious w3wp.exe child processes
w3wp.exe → cmd.exe /c ...
w3wp.exe → whoami
w3wp.exe → powershell.exe
w3wp.exe → icacls ...
3) File Integrity Monitoring
Monitor for unauthorized changes to .js, .aspx, .config files within the web root — especially the addition of remote script loaders or unusual logic in commonly used JS libraries.
4) Anomalous User-Agent strings
User-Agent strings consisting of two distinct identifiers concatenated together (consistent with the prior ViewState deserialization zero-day). Examples:
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62 Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Google SecOps (Chronicle UDM) — source: GTIG
(metadata.log_type = "WINEVTLOG" or metadata.log_type = "WINEVTLOG_XML")
metadata.product_event_type = "1316"
additional.fields["Message"] = /Event code: 4009\b/ nocase
(metadata.event_type = "PROCESS_LAUNCH" or metadata.event_type = "PROCESS_OPEN") AND
principal.process.command_line = /w3wp.exe/ nocase AND
target.process.command_line = /cmd.+ \/c |whoami|powershell/ nocase
KQL — Microsoft Sentinel / Defender XDR (original)
w3wp.exe spawning recon/shell processes
DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where FileName in~ ("cmd.exe","powershell.exe","whoami.exe","icacls.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Changes to sensitive web-root files
DeviceFileEvents
| where FolderPath has_any (@"\inetpub\", @"\KnowledgeDeliver\")
| where FileName endswith ".js" or FileName endswith ".aspx" or FileName endswith ".config"
| where ActionType in ("FileModified","FileCreated")
| where InitiatingProcessFileName in~ ("w3wp.exe","cmd.exe","powershell.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, ActionType
IOC
# BLUEBEAM (Godzilla) web shell
file.name : LoadLibrary.dll
SHA-256 : 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2
Note: the sources contain no public C2 domain (the distribution domain is redacted). Detection focus is on
w3wp.exebehaviour, Event 1316/4009, and web-root file tampering.
Expert Assessment
Real-world severity exceeds the CVSS feel. The AC:H vector (because the attacker needs the machine key first) softens the perceived score, but in reality the key was pre-packaged and shared in web.config — so the "complexity" barrier is almost nonexistent for any attacker who has one deployment to extract the key from. That is precisely why the flaw was successfully exploited as a zero-day: it turns every legacy KnowledgeDeliver instance into the same lock with the same key.
The core lesson is not new but keeps recurring: shared secrets in deployment templates are a ticking time bomb. The Sitecore chain (Mandiant) and Microsoft's Feb 2025 machine-key warning describe the same model — leaked ViewState + machineKey = mass RCE. KnowledgeDeliver is simply the latest victim of an old anti-pattern.
Relevance to Vietnam. KnowledgeDeliver is common in Japan, but many Vietnamese organisations — especially those with Japanese capital/partners, training centres, and any org running .NET LMS platforms — sit in the same risk zone. More importantly, the shared-machine-key anti-pattern is not product-specific: any ASP.NET application that copied a machineKey from documentation, a blog, or StackOverflow can be affected. For SOCs in Vietnam, this is a good moment to inventory all internal ASP.NET assets, not just KnowledgeDeliver. The JS-tampering-to-deliver-a-fake-"security plugin" technique also fits watering-hole attacks against end users — worth warning both web operations teams and users.
Recommendations
Immediate (0–24h)
- Rotate the
machineKey: generate a unique, cryptographically strong key per KnowledgeDeliver instance — the only way to invalidate the leaked shared secret. - Hunt the event log: Event ID 1316 / code 4009 on web servers;
w3wp.exechild processes (cmd,powershell,whoami,icacls). - Check web-root file integrity (
.js/.aspx/.config); look for remote script loaders or unusual logic. Short-term (1–7 days) - Restrict access: limit the LMS to known/internal IP ranges; consider placing it behind VPN/WAF.
- Deploy the SecOps/KQL above into the SIEM; add detections for ViewState exploitation + web-root tampering.
- Scan for the IOC (BLUEBEAM hash) across file servers & endpoints; investigate thoroughly if any signs of exploitation appear. Long-term
- Review all ASP.NET assets: forbid copying
machineKeyfrom public sources; preferautogenerateor vault-managed keys. - Monitor web-process behaviour (process lineage from
w3wp.exe) rather than relying on file signatures — in-memory web shells leave no file. - Add a "shared secret in deployment templates" check to hardening & secure-deployment processes.
References
- MNDT-2026-0009 — Mandiant Vulnerability Disclosure (CVE-2026-5426)
- Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability — Google Cloud / GTIG & Mandiant (2026-05-25)
- KnowledgeDeliver flaw exploited as a zero-day to install web shells — BleepingComputer
- Code injection attacks using publicly disclosed ASP.NET machine keys — Microsoft Security Blog (2025-02-06)
- CVE-2026-5426 — CVE.org · KnowledgeDeliver — Digital Knowledge
