KnowledgeDeliver Zero-Day CVE-2026-5426 Exploited via ASP.NET ViewState Deserialization

By Ash K May 26, 2026

This was not just a vulnerable web server. It was a trusted learning platform turned into a delivery point for malware.

Mandiant has detailed exploitation of CVE-2026-5426, a KnowledgeDeliver remote code execution vulnerability rooted in a dangerous deployment practice: identical ASP.NET machine keys reused across multiple customer environments. Once attackers knew the key, they could craft malicious ViewState payloads that vulnerable servers would accept as valid.

The result was unauthenticated code execution against an internet-facing LMS, followed by in-memory web shell activity, file permission changes, JavaScript tampering, and an attempt to infect users visiting the compromised platform.

What Happened

In late 2025, Mandiant responded to an incident involving a compromised web server running KnowledgeDeliver, a Learning Management System developed by Digital Knowledge and commonly used in Japan. The product is marketed as an integrated e-learning platform for content creation, learning delivery, and operational management, with support for smartphones, tablets, and PCs.

Mandiant identified a critical vulnerability that allowed unauthenticated remote code execution. The flaw is now tracked as CVE-2026-5426 and was initially exploited as a zero-day before public disclosure.

The vulnerable condition affected KnowledgeDeliver installations deployed before February 24, 2026, where a standardized web.config file used hardcoded ASP.NET machineKey values. Those keys are used by ASP.NET to sign and protect data, including ViewState payloads. Because the keys were shared across independent deployments, compromise or discovery of the key in one environment could put other exposed installations at risk.

How the ViewState Attack Worked

ASP.NET ViewState is designed to preserve page state across postbacks. To prevent tampering, ASP.NET validates ViewState data using cryptographic protections tied to the application’s machine key.

That protection collapses when the machine key is reused and becomes known. An attacker can generate a malicious ViewState payload, sign it with the shared key, and send it to the application through the __VIEWSTATE parameter. If the server accepts the payload as trusted, deserialization can lead to server-side code execution.

Mandiant’s advisory describes the impact as high: an adversary with the pre-shared ASP.NET machine key can bypass ViewState validation and remotely execute unauthorized code. NVD lists the issue as involving hard-coded cryptographic keys and deserialization of untrusted data, mapped to CWE-321 and CWE-502.

Post-Exploitation: Web Shells, Tampering, and User Targeting

After gaining access, the threat actor deployed BLUEBEAM, also known as Godzilla, a .NET-based in-memory web shell that runs inside the IIS worker process w3wp.exe. That matters because memory-resident tooling is harder to catch with traditional file-scanning controls and can allow attackers to execute additional commands through encrypted HTTP POST traffic.

Mandiant observed the attacker using commands to expand control over the web server’s file system, including modifying permissions on the web application directory. The attacker also altered an application JavaScript file to display a fake security alert and silently load a remote malicious script from attacker-controlled infrastructure.

The user-facing part of the attack was especially dangerous. Visitors were prompted to install what appeared to be a “security authentication plugin.” In reality, the fake installer led to Cobalt Strike BEACON infection on user workstations. Mandiant noted that the payload was encrypted using a key tied to the compromised organization’s name, suggesting the malware was prepared specifically for that target.

Why This Stands Out

CVE-2026-5426 is a reminder that shared secrets are not configuration shortcuts. They are ecosystem-wide failure points.

The vulnerability did not require stolen administrator credentials, phishing a privileged user, or exploiting a complex race condition. The weak point was a static cryptographic secret reused across customer deployments. Once attackers had that secret, internet-facing KnowledgeDeliver instances with the unchanged key became candidates for forged ViewState payloads.

The case also shows why LMS platforms deserve the same scrutiny as VPNs, identity portals, email gateways, and file transfer systems. A compromised LMS is not just a server problem. It can become a watering hole for employees, students, contractors, and administrators who trust the platform enough to download prompts, plugins, course materials, or authentication-related tools.

Defender Impact

Organizations running KnowledgeDeliver should first determine whether their deployment was installed before February 24, 2026, and whether the default ASP.NET machine key was ever replaced. Mandiant’s resolution guidance is direct: generate a unique, cryptographically strong machineKey for each KnowledgeDeliver instance.

Defenders should also hunt for signs of ViewState exploitation and post-exploitation behavior. Mandiant recommends monitoring Windows Application logs for ASP.NET Event ID 1316, especially ViewState verification failures that may indicate payload testing or deserialization attempts. Web logs should be reviewed for suspicious __VIEWSTATE requests and unusual User-Agent strings.

On the host side, security teams should inspect for suspicious child processes spawned by w3wp.exe, including cmd.exe, whoami, and powershell.exe. File integrity monitoring should focus on unexpected changes to .js, .aspx, and .config files inside the web root, especially code that loads remote scripts or modifies login and notification flows.

The Bigger Picture

This incident fits a broader pattern Mandiant and Microsoft have both warned about: attackers abusing known or exposed ASP.NET machine keys to forge trusted payloads and reach code execution through ViewState deserialization.

The operational lesson is blunt. Cryptographic keys embedded in deployment templates can turn one disclosure into many compromises. For software vendors, every customer deployment needs unique secrets by default. For defenders, verifying key uniqueness should be part of hardening and incident response, not a footnote after patching.

NeuraCyb's Assessment

CVE-2026-5426 is dangerous because it turns a configuration decision into remote code execution at scale. The most important takeaway is not only that KnowledgeDeliver instances need unique machine keys. It is that trusted web applications can become malware delivery systems when server-side compromise is paired with client-side tampering. Treat LMS platforms as high-value infrastructure, because attackers clearly do.

References

Ash K

Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.