cbcvebase.
CVE-2026-5426
published 2026-04-16

CVE-2026-5426: Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState…

PriorityP184critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.01%
58.7th percentile
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks

Affected

1 ranges
VendorProductVersion rangeFixed in
digital_knowledgeknowledgedeliver< 2026022420260224

Detection & IOCsextracted from sources · hover to see the quote

parameter__VIEWSTATE
commandicacls
sigma
(metadata.log_type = "WINEVTLOG" or metadata.log_type = "WINEVTLOG_XML") metadata.product_event_type = "1316" additional.fields["Message"] = /Event code: 4009\b/ nocase
sigma
(metadata.event_type = "PROCESS_LAUNCH" or metadata.event_type = "PROCESS_OPEN") AND principal.process.command_line = /w3wp.exe/ nocase AND target.process.command_line = /cmd.+ \/c |whoami|powershell/ nocase
  • Monitor Windows Application Event Log for Event ID 1316 with message matching 'Event code: 4009' — this indicates ASP.NET ViewState integrity check failures consistent with deserialization exploitation attempts.
  • Alert on w3wp.exe spawning cmd.exe, whoami, or powershell.exe — this is a strong indicator of post-exploitation activity following ViewState deserialization RCE.
  • Monitor for unauthorized modifications to .js, .aspx, and .config files on the web server — the threat actor tampered with application JavaScript files to inject fake security alerts and load remote malicious scripts.
  • Monitor for icacls commands granting 'Everyone' full access to the web application directory, executed from w3wp.exe context — this was used by the threat actor to escalate file system control post-exploitation.
  • The BLUEBEAM (Godzilla) web shell operates as an in-memory .NET web shell spawned under w3wp.exe; look for unusual ASPX file creation or in-memory execution artifacts under the IIS worker process.
  • ·Because the machineKey is shared across all customer deployments, a key obtained from any single compromised instance can be used to attack all other internet-facing KnowledgeDeliver installations.
  • ·The Cobalt Strike payload was encrypted using a key derived from the name of the targeted organization, indicating targeted/customized payloads per victim — generic hash-based detection may not catch all variants.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.