Mandiant Uncovers Active Exploitation of KnowledgeDeliver ViewState Deserialization Flaw (CVE-2026-5426)
Mandiant reports active exploitation of a critical ViewState deserialization vulnerability in KnowledgeDeliver, a Japanese LMS, allowing unauthenticated remote code execution via hardcoded ASP.NET machine keys.

Mandiant has disclosed active exploitation of a critical vulnerability in KnowledgeDeliver, a Learning Management System (LMS) developed by Digital Knowledge and widely used in Japan. The flaw, now tracked as CVE-2026-5426, allows unauthenticated remote code execution through ASP.NET ViewState deserialization, stemming from the use of identical pre-shared machine keys across multiple customer deployments. Mandiant responded to an incident in late 2025 involving a compromised web server running KnowledgeDeliver, where an unknown threat actor leveraged this zero-day to inject malicious code and infect site visitors.
The vulnerability originates from a standardized web.config file provided by the vendor before February 24, 2026, which contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign ViewState payloads. Because these keys were identical across independent customer environments, any threat actor who obtained the keys from one deployment could compromise any other internet-facing KnowledgeDeliver instance. By crafting a malicious ViewState payload and sending it via the __VIEWSTATE parameter in an HTTP request, the attacker could force the server to deserialize it, achieving remote code execution. This technique mirrors previous ViewState deserialization attacks against Sitecore and other ASP.NET applications.
Once access was established, the threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla), which operates entirely within the IIS worker process (w3wp.exe), evading traditional file-based detection. The actor then executed commands to escalate control over the file system, modifying permissions with icacls to grant "Everyone" full access to the web application directory. They also tampered with a JavaScript file to display a fake security alert prompting users to install a "security authentication plugin," which silently loaded a remote malicious script from a threat actor-controlled domain.
The remote script convinced users to download a fake installer, leading to infection with a Cobalt Strike BEACON backdoor. The payload was encrypted using a key derived from the compromised organization's name, indicating the threat actor prepared the payload specifically for the targeted organization. Mandiant noted that the use of BLUEBEAM is consistent with previous Microsoft reporting on similar attacks.
Mandiant has provided detailed hunting guidance for organizations. Key indicators include Windows Application Event ID 1316 from ASP.NET 4.0.30319.0, where "Viewstate verification failed" with reason "Viewstate was invalid" may indicate successful deserialization. Suspicious child processes spawned by w3wp.exe, such as cmd.exe or powershell.exe, should be investigated. File integrity monitoring should focus on unauthorized changes to .js, .aspx, or .config files, particularly the addition of remote script loaders. Anomalous User-Agent strings consisting of two distinct identifiers concatenated together have also been observed.
Remediation requires immediately rotating machine keys to generate unique, cryptographically random values for each deployment. Organizations should also apply any patches released by Digital Knowledge, monitor for the indicators described above, and review their ASP.NET configurations to ensure machine keys are not shared across environments. This incident underscores the critical importance of keeping machine keys unique and secure, as their exposure can lead to widespread compromise across multiple deployments.
Mandiant's investigation revealed that attackers deployed the BLUEBEAM (Godzilla) in-memory web shell, modified file permissions with icacls, and injected malicious JavaScript into legitimate LMS files to deliver Cobalt Strike Beacon payloads encrypted with the victim organization's name. The campaign targeted enterprise and educational environments, with detection possible via ASP.NET Event ID 1316 logs and anomalous child processes from w3wp.exe. A known indicator is the BLUEBEAM payload 'LoadLibrary.dll' with SHA-256 hash 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2.
The Hacker News reports that attackers exploited CVE-2026-5426 as a zero-day to deploy the Godzilla web shell, which was then used to deliver Cobalt Strike Beacon for post-exploitation activity. The vulnerability, stemming from hard-coded ASP.NET machine keys, carries a CVSS score of 7.5 and affects Digital Knowledge's KnowledgeDeliver LMS, which is widely used in Japan. The vendor has since released a patch to address the flaw.
Mandiant's latest report reveals that the attackers leveraged the ViewState deserialization flaw to deploy Godzilla web shells in memory, then modified a JavaScript file to display a fake security alert tricking users into installing a malicious plugin. The final payload was a Cobalt Strike backdoor encrypted with a key containing the victim organization's name, indicating the backdoor was prepared specifically for the targeted organization. All KnowledgeDeliver deployments prior to February 24, 2026, are vulnerable, and Mandiant has released indicators of compromise to aid in detection.
BleepingComputer now reports that attackers exploited the same ViewState deserialization vulnerability (tracked as CVE-2026-5426) to deploy the Godzilla web shell on a targeted server. While Mandiant's initial disclosure highlighted the unauthenticated RCE risk via hardcoded ASP.NET machine keys, this new article confirms a specific in-the-wild attack that used the flaw to establish persistent access. The campaign appears to be limited and targeted, and no patch has been released yet for the KnowledgeDeliver LMS.