CVE-2026-5426
published 2026-04-16CVE-2026-5426: Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState…
PriorityP184critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.01%
58.7th percentile
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| digital_knowledge | knowledgedeliver | < 20260224 | 20260224 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
(metadata.log_type = "WINEVTLOG" or metadata.log_type = "WINEVTLOG_XML") metadata.product_event_type = "1316" additional.fields["Message"] = /Event code: 4009\b/ nocase
sigma↗
(metadata.event_type = "PROCESS_LAUNCH" or metadata.event_type = "PROCESS_OPEN") AND principal.process.command_line = /w3wp.exe/ nocase AND target.process.command_line = /cmd.+ \/c |whoami|powershell/ nocase
- →Monitor Windows Application Event Log for Event ID 1316 with message matching 'Event code: 4009' — this indicates ASP.NET ViewState integrity check failures consistent with deserialization exploitation attempts. ↗
- →Alert on w3wp.exe spawning cmd.exe, whoami, or powershell.exe — this is a strong indicator of post-exploitation activity following ViewState deserialization RCE. ↗
- →Monitor for unauthorized modifications to .js, .aspx, and .config files on the web server — the threat actor tampered with application JavaScript files to inject fake security alerts and load remote malicious scripts. ↗
- →Monitor for icacls commands granting 'Everyone' full access to the web application directory, executed from w3wp.exe context — this was used by the threat actor to escalate file system control post-exploitation. ↗
- →The BLUEBEAM (Godzilla) web shell operates as an in-memory .NET web shell spawned under w3wp.exe; look for unusual ASPX file creation or in-memory execution artifacts under the IIS worker process. ↗
- ·Because the machineKey is shared across all customer deployments, a key obtained from any single compromised instance can be used to attack all other internet-facing KnowledgeDeliver installations. ↗
- ·The Cobalt Strike payload was encrypted using a key derived from the name of the targeted organization, indicating targeted/customized payloads per victim — generic hash-based detection may not catch all variants. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Digital Knowledge KnowledgeDeliver prior 20260224 ViewState machineKey hard-coded key (MNDT-2026-0009 / EUVD-2026-23271)
vuldb·2026-04-16
CVE-2026-5426 [LOW] Digital Knowledge KnowledgeDeliver prior 20260224 ViewState machineKey hard-coded key (MNDT-2026-0009 / EUVD-2026-23271)
A vulnerability was found in Digital Knowledge KnowledgeDeliver. It has been declared as problematic. This issue affects some unknown processing of the component ViewState Handler. Such manipulation of the argument machineKey leads to use of hard-coded cryptographic key
.
This vulnerability is traded as CVE-2026-5426. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
GHSA-g88c-8gfj-6c98: Hard-coded ASP
ghsa_unreviewed·2026-04-16
CVE-2026-5426 CWE-321 GHSA-g88c-8gfj-6c98: Hard-coded ASP
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
VulnCheck
Use of Hard-coded Cryptographic Key
vulncheck·2026·CVSS 7.5
CVE-2026-5426 [HIGH] Use of Hard-coded Cryptographic Key
Use of Hard-coded Cryptographic Key
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
Affected: Digital Knowledge KnowledgeDeliver
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/
No detection rules found.
No public exploits indexed.
Bleepingcomputer
KnowledgeDeliver flaw exploited as a zero-day to install web shells
blogs_bleepingcomputer·2026-05-26·CVSS 9.1
CVE-2026-5426 [CRITICAL] KnowledgeDeliver flaw exploited as a zero-day to install web shells
## KnowledgeDeliver flaw exploited as a zero-day to install web shells
## Ionut Ilascu
Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell.
The flaw is a deserialization issue tracked as CVE-2026-5426 and can be exploited without authentication. It stems from the use of a shared hardcoded machine key in the web portal configuration across all KnowledgeDeliver customer deployments.
## ViewState deserialization
Threat actors obtained the machine key and used it in ViewState deserialization attacks to sign malicious ViewState payloads and achieve remote code execution at the operating system level.
Mandiant in late 2025 responded to an attack on a KnowledgeDeliver server and says t
Hackernews
KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
blogs_hackernews·2026-05-26·CVSS 9.1
CVE-2026-5426 [CRITICAL] KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver , a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.
The vulnerability, tracked as CVE-2026-5426 (CVSS score: 7.5), stems from the use of hard-coded ASP.NET machine keys, leading to unauthenticated remote code execution via a ViewState deserialization attack. The abuse of publicly disclosed ASP.NET machine keys by threat actors was first do
Mandiant
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
blogs_mandiant·2026-05-25·CVSS 7.5
CVE-2026-5426 [HIGH] Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
## Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
## Mandiant
## Google Threat Intelligence Group
## Mandiant Services
Stop attacks, reduce risk, and advance your security.
Written by: Takahiro Sugiyama, Peter Revelant, Mathew Potaczek
## Introduction
In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver . KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site.
This vulnerability stems from the
2026-04-16
Published
Exploited in the wild