CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: ViewState deserialization RCE exploited as a zero-day

Google's Threat Intelligence Group documented active zero-day exploitation of a pre-shared ASP.NET machineKey in the KnowledgeDeliver LMS that enables ViewState deserialization to unauthenticated RCE (first covered 2026-05-26; Mandiant disclosure MNDT-2026-0009). The vulnerable-component lesson generalises well beyond this APAC-deployed product: any .NET web application shipping or reusing a static machineKey across deployments inherits the same ViewState-forgery-to-RCE path. Hunt for unexpected __VIEWSTATE POST bodies that fail MAC validation and for w3wp.exe spawning command interpreters; rotate machineKey values that were ever shared or committed to source.