KnowledgeDeliver LMS ViewState Deserialization Zero-Day

Severity Assessment

• Exploitability: 8.8/10
• Impact: 8.7/10
• Weaponization Risk: 8.0/10
• Patch Urgency: 8.6/10
• Detection Coverage: 6.4/10

Summary

CVE-2026-5426 is a critical remote code execution vulnerability affecting Digital Knowledge KnowledgeDeliver Learning Management System deployments that used a shared ASP.NET machineKey before February 24, 2026. Google Threat Intelligence Group and Mandiant reported that an unknown actor exploited the flaw as a zero-day in late 2025 during an incident involving a compromised KnowledgeDeliver web server.

The vulnerability stems from standardized web.config deployments that reused hard-coded ASP.NET machine keys across independent customer environments. A threat actor with the key material could craft a signed malicious ViewState payload and send it through the __VIEWSTATE parameter, causing server-side deserialization on an internet-facing KnowledgeDeliver instance.

Reported post-exploitation activity included deployment of the BLUEBEAM, also known as Godzilla, in-memory web shell, file permission changes, tampering with JavaScript served by the LMS, and attempted delivery of a Cobalt Strike BEACON payload to site visitors. Attribution remains Unknown in public reporting.

Exploit Chain

Stage 1: Shared Machine Key Exposure

KnowledgeDeliver deployments before February 24, 2026 used a standardized configuration containing the same ASP.NET machine key values. Because ViewState relies on the machine key to protect signed state data, reuse of the key created a cross-deployment trust failure.

Stage 2: Malicious ViewState Submission

The actor could craft a malicious ViewState payload signed with the known key and submit it to a vulnerable KnowledgeDeliver server through the __VIEWSTATE request parameter. Mandiant described this as an unauthenticated remote code execution path.

Stage 3: Web Shell Deployment

After exploitation, Mandiant observed BLUEBEAM/Godzilla activity running in memory inside the IIS worker process. This gave the actor a server-side control channel while reducing reliance on conventional files that defenders might scan on disk.

Stage 4: File Tampering and Visitor Targeting

The actor changed permissions on the web application directory and modified JavaScript served by the LMS. The injected code displayed a fake security prompt and loaded a remote malicious script intended to move the compromise from the server to visiting user systems.

Stage 5: Cobalt Strike Delivery Attempt

Google Threat Intelligence Group reported that the remote script attempted to convince users to install a fake plugin, leading to a Cobalt Strike BEACON backdoor. Public reporting does not identify a named threat actor behind the activity.

Detection Guidance

• Monitor Windows Application logs for ASP.NET Event ID 1316 and ViewState integrity or invalid-ViewState messages on KnowledgeDeliver servers.
• Hunt for unusual child processes spawned by w3wp.exe, especially command shells, reconnaissance commands, or PowerShell activity.
• Alert on unexpected modification of .js, .aspx, or .config files under KnowledgeDeliver web roots.
• Review web request logs for anomalous concatenated user-agent strings and requests containing suspicious ViewState payloads.
• Investigate evidence of BLUEBEAM/Godzilla web shell behavior or Cobalt Strike BEACON payload staging associated with the affected LMS.

Indicators of Compromise

• BLUEBEAM/Godzilla in-memory web shell activity in the IIS worker process.
• SHA-256 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2, identified by Google Threat Intelligence Group as LoadLibrary.dll.
• Unauthorized JavaScript modifications that display fake security prompts or load remote scripts.
• Suspicious w3wp.exe child processes invoking command shells, whoami, or PowerShell.
• ASP.NET ViewState validation failures followed by web-root file tampering or process-launch anomalies.

Recommended Actions

1. Rotate ASP.NET machine keys on every KnowledgeDeliver deployment and ensure each instance uses unique cryptographically strong values.
2. Apply the vendor configuration update or deployment guidance for KnowledgeDeliver installations affected before February 24, 2026.
3. Restrict access to KnowledgeDeliver servers to known organizational networks where operationally possible.
4. Review web roots, IIS logs, Windows Application logs, and endpoint telemetry for signs of ViewState exploitation and post-exploitation file tampering.
5. Treat confirmed server compromise as a potential client compromise path if visitors were exposed to injected JavaScript or fake installer prompts.

Disclosure Timeline

Late 2025 — Incident Response Observation

Mandiant responded to a compromised KnowledgeDeliver web server and observed exploitation of the ViewState deserialization flaw as a zero-day.

2026-02-24 — Affected Deployment Boundary

Public CVE metadata describes the affected set as KnowledgeDeliver deployments before February 24, 2026.

2026-04-16 — CVE Publication

CVE-2026-5426 was published for the hard-coded ASP.NET/IIS machineKey issue in Digital Knowledge KnowledgeDeliver deployments.

2026-05-25 — Google/Mandiant Technical Report

Google Threat Intelligence Group and Mandiant published technical analysis describing the exploitation chain, post-exploitation behavior, hunting guidance, and remediation actions.

2026-05-27 — Public Newsletter Coverage

Risky Business highlighted the KnowledgeDeliver exploitation in a broader security bulletin and pointed readers to the Google/Mandiant analysis.

Sources & References

• Google Threat Intelligence Group: Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability — Google Threat Intelligence Group, 2026-05-25
• CVE Program: CVE-2026-5426 — CVE Program, 2026-04-16
• Risky Business Media: Risky Bulletin, May 27, 2026 — Risky Business Media, 2026-05-27