KnowledgeDeliver CVE-2026-5426 ViewState exploitation

Summary

CVE-2026-5426 is a KnowledgeDeliver Learning Management System remote-code-execution vulnerability caused by identical hard-coded ASP.NET machineKey values in vendor-provided web.config templates. Google Mandiant and Google Threat Intelligence Group reported that an unknown actor exploited the flaw as a zero-day against a KnowledgeDeliver web server, deployed the in-memory BLUEBEAM / Godzilla web shell, tampered with LMS JavaScript, and pushed visitors toward a fake security-authentication plugin that installed Cobalt Strike Beacon.

The durable lesson is ecosystem-scale shared-secret risk: if many customer deployments inherit the same ASP.NET machine keys, disclosure or recovery of one key can enable forged __VIEWSTATE payloads against other internet-facing instances.

Tags

• ops
• operations
• KnowledgeDeliver
• Digital Knowledge
• CVE-2026-5426
• ViewState deserialization
• ASP.NET machineKey
• hard-coded secrets
• shared secrets
• LMS
• zero-day
• active exploitation
• web shell
• BLUEBEAM
• Godzilla
• Cobalt Strike
• JavaScript tampering
• fake plugin
• Japan

Why this matters

• The root cause sits in deployment templates, not a single customer misconfiguration. Any organization that deployed KnowledgeDeliver before the vendor change could share cryptographic material with unrelated instances.
• ViewState deserialization turns knowledge of the machine keys into unauthenticated server-side code execution through a normal ASP.NET request parameter.
• The observed chain crossed from server compromise into user compromise: attackers modified legitimate LMS JavaScript to display a fake security alert, load attacker-controlled script, and convince visitors to install a Cobalt Strike payload.
• BLUEBEAM / Godzilla running inside w3wp.exe reduces file-based visibility and can execute commands or stage additional payloads via encrypted HTTP POST traffic.
• The Cobalt Strike payload was encrypted with a key derived from the victim organization's name, suggesting targeted preparation rather than purely opportunistic scanning.

Operational characteristics

• Affected deployments: KnowledgeDeliver installations deployed before 2026-02-24 that used the standardized web.config with identical hard-coded ASP.NET machineKey values.
• Initial access: attacker crafts a malicious __VIEWSTATE value signed/encrypted with the known machine keys, causing ASP.NET to deserialize attacker-controlled data and execute code.
• Web shell: Mandiant observed BLUEBEAM, also known as Godzilla, operating in memory inside the IIS worker process (w3wp.exe) and communicating through encrypted HTTP POST request bodies.
• Host control: observed commands included cmd.exe /c, whoami, powershell.exe, and icacls permission changes that granted broad file-system access to the web application directory.
• Content tampering: attackers modified application JavaScript to show a fake "security authentication plugin" prompt and silently load a remote malicious script.
• User compromise: the remote script drove users to a fake installer, which delivered Cobalt Strike Beacon. Mandiant reported the Beacon payload was encrypted with victim-specific material.
• Indicator published by Mandiant: LoadLibrary.dll / BLUEBEAM SHA-256 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2.

Defender heuristics

• Rotate KnowledgeDeliver ASP.NET machine keys immediately to unique, cryptographically strong per-instance values; this is the primary remediation for invalidating the shared secret.
• Restrict KnowledgeDeliver exposure to trusted organizational IP ranges where operationally possible.
• Hunt Windows Application logs for ASP.NET Event ID 1316 / event code 4009, especially Viewstate verification failed messages. Mandiant notes that viewstate was invalid can indicate integrity checks passed and deserialization was attempted.
• Monitor for suspicious child processes from w3wp.exe, including cmd.exe, powershell.exe, whoami, and permission-modification commands such as icacls.
• Perform file-integrity review across LMS web roots for unauthorized changes to .js, .aspx, and .config files, especially remote script loaders or fake security/plugin prompts.
• Inspect IIS and reverse-proxy logs for anomalous concatenated User-Agent strings like those Mandiant associated with ViewState exploitation campaigns.
• Treat affected servers as compromised if exploitation indicators appear: preserve web logs, Windows event logs, IIS worker process telemetry, modified web-root files, and memory/EDR evidence before cleanup.
• For potentially exposed LMS users, hunt for fake-plugin downloads and Cobalt Strike Beacon execution around the JavaScript-tampering window.

Related pages

• Ghost CMS CVE-2026-26980 ClickFix poisoning
• LiteSpeed cPanel CVE-2026-48172 exploitation
• Langflow CVE-2025-34291 exploitation
• Microsoft Defender CVE-2026-41091 / CVE-2026-45498 exploitation

Sources

• Google Cloud / Mandiant: https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/
• Mandiant vulnerability disclosure MNDT-2026-0009: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md
• The Hacker News: https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html
• CVE record: https://www.cve.org/CVERecord?id=CVE-2026-5426