CVE-2026-5426: RCE via ViewState Deserialization in KnowledgeDeliver

According to Mandiant, security researchers recently identified a critical RCE vulnerability in KnowledgeDeliver, a Learning Management System (LMS) developed by Digital Knowledge and widely used within Japan. This flaw, tracked as CVE-2026-5426, allows unauthenticated attackers to execute code by exploiting a Zero-Day deserialization flaw. The issue stems from a systemic Supply Chain Attack risk where the vendor provided a standardized web.config file containing identical pre-shared ASP.NET machine keys across multiple customer environments.

Technical Analysis of ViewState Deserialization

The CVE exists because KnowledgeDeliver installations deployed prior to February 2026 relied on a hardcoded machineKey configuration. In the ASP.NET framework, these keys are used to encrypt and sign the ViewState, which maintains page state during postbacks. Since these keys were not unique, a threat actor who recovered the keys from one instance could generate a malicious ViewState payload compatible with any other internet-facing installation.

Upon sending a crafted __VIEWSTATE parameter in an HTTP request, the server attempts to deserialize the data. Because the signature (generated using the known pre-shared key) is valid, the server processes the payload, leading to arbitrary code execution. This TTP mirrors previous high-profile attacks against other platforms and underscores the danger of static credentials in deployment templates.

Post-Exploitation and Malware Deployment

Once initial access is achieved, the threat actor utilizes a specific set of tools to maintain persistence. Mandiant observed the deployment of a .NET-based in-memory web shell known as BLUEBEAM (also known as Godzilla). This malware operates within the IIS worker process (w3wp.exe), effectively evading EDR solutions that rely solely on file-system scanning.

Following the web shell deployment, attackers were observed performing file tampering. This included using icacls to grant broad permissions to web directories and modifying application JavaScript files. The modified scripts were designed to display fraudulent security alerts, tricking users into downloading a “security authentication plugin.” This plugin served as a delivery mechanism for a workstation infection involving Cobalt Strike BEACON, which allowed for persistent C2 communications.

How to detect CVE-2026-5426 exploit

Defenders must actively hunt for IoC markers within their environments. One primary detection method involves monitoring Windows Application Event Logs for Event ID 1316. An event code of 4009 indicating “Viewstate verification failed” with the reason “Viewstate was invalid” is a strong indicator that an integrity check passed—meaning the attacker used the correct key—but the subsequent deserialization attempt failed or triggered an error.

Additionally, SOC teams should monitor for suspicious child processes spawned by w3wp.exe. The execution of cmd.exe, whoami, or powershell.exe from the IIS worker process is highly anomalous and should be investigated immediately. Analyzing SIEM logs for User-Agent strings featuring concatenated browser identifiers—a known trait of the exploitation tools used in these campaigns—is another effective strategy.

KnowledgeDeliver ViewState deserialization mitigation steps

The primary remediation for this vulnerability is the immediate rotation of ASP.NET machine keys. Organizations must generate a unique, cryptographically strong key for every individual KnowledgeDeliver instance to invalidate the shared vendor default. Following this, administrators should conduct a thorough compromise assessment to ensure no web shells or modified JavaScript files remain in the web root.

Restricting access to the LMS via IP address whitelisting can further reduce the attack surface. However, given the nature of the infection chain—where visitors are targeted—cleaning the web server environment remains the highest priority for defenders.