ctipilot.ch

Digital Knowledge KnowledgeDeliver LMS — pre-shared ASP.NET machineKey ViewState deserialization RCE; exploited as zero-day pre-2026-02-24

cve · CVE-2026-5426

Coverage timeline
2
first 2026-05-25 → last 2026-06-03
Peak priority
notable
2 notable
Sources cited
7
4 hosts
Sections touched
2
trending-vulnerabilities, weekly-vuln-rollup
Co-occurring entities
1
see Related entities below
ATT&CK techniques
6
pinned v19.1 · see below

ATT&CK techniques

6 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1189Drive-by Compromise×1

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

Evidence: 2026-05-26/cve-2026-5426-digital-knowledge-knowledgedeliver-lms-pre-sha · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-05-26/cve-2026-5426-digital-knowledge-knowledgedeliver-lms-pre-sha · ATT&CK page ↗

Persistence TA0003

T1505Server Software Component×1

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.

Evidence: 2026-05-26/cve-2026-5426-digital-knowledge-knowledgedeliver-lms-pre-sha · ATT&CK page ↗

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-05-26/cve-2026-5426-digital-knowledge-knowledgedeliver-lms-pre-sha · ATT&CK page ↗

Command and Control TA0011

T1071Application Layer Protocol×1

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-05-26/cve-2026-5426-digital-knowledge-knowledgedeliver-lms-pre-sha · ATT&CK page ↗

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-05-26/cve-2026-5426-digital-knowledge-knowledgedeliver-lms-pre-sha · ATT&CK page ↗

Story timeline

  1. 2026-05-26CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET machineKey enables ViewState deserialization RCE, exploited as a zero-day
    trending-vulnerabilities
  2. 2026-05-25CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: ViewState deserialization RCE exploited as a zero-day
    weekly-vuln-rollup

Where this entity is cited

  • weekly-vuln-rollup1
  • trending-vulnerabilities1

Source distribution

  • attack.mitre.org4 (57%)
  • cert.pl1 (14%)
  • cloud.google.com1 (14%)
  • github.com1 (14%)

Related entities

Entries about Digital Knowledge KnowledgeDeliver LMS — pre-shared ASP.NET machineKey ViewState deserialization RCE; exploited as zero-day pre-2026-02-24 (2)

2026-05-26 · view entry permalink →

NOTABLECVE-2026-5426exploited

CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET machineKey enables ViewState deserialization RCE, exploited as a zero-day

Mandiant / Google Threat Intelligence Group published an incident-response investigation into a late-2025 compromise of a web server running KnowledgeDeliver, an ASP.NET learning-management system from Japan-based Digital Knowledge that is widely deployed in Japanese enterprise and education environments (Google Threat Intelligence Group, 2026-05-25; Mandiant Vulnerability Disclosures MNDT-2026-0009). The root cause (CVE-2026-5426) is identical pre-shared ASP.NET machineKey values shipped across all customer installations by default: any party who recovers the hardcoded key from one instance can forge a valid signed/encrypted ViewState payload and replay it against any other deployment. Because ASP.NET ViewState is deserialized through ObjectStateFormatterBinaryFormatter, a forged payload yields arbitrary .NET object-graph deserialization and remote code execution (T1190). Mandiant states the flaw was exploited as a zero-day prior to the 2026-02-24 patch.

Post-exploitation, the actor deployed BLUEBEAM (a variant of the Godzilla web shell) that runs entirely inside the IIS worker process w3wp.exe — no shell file on disk — receiving commands over encrypted HTTP POST (T1505.003, T1071.001), then injected content into the LMS to mount a watering-hole attack against its users (T1189). Targeting is Japan-primary, but the transferable lesson is broad and urgent for CH/EU public-sector .NET estates: audit every ASP.NET application for shared or default machineKey values and rotate to unique, cryptographically strong per-deployment keys — there is no default-config toggle that removes the shared-key risk. Hunt for Windows Application-log Event ID 1316 (ViewState validation failure — Mandiant notes even successful exploitation generated these) on LMS-adjacent web servers, and for w3wp.exe spawning cmd.exe/powershell.exe/cscript.exe or making unexpected outbound connections (Sysmon EID 1 with a parent-image filter on w3wp.exe). Because BLUEBEAM is memory-resident with no on-disk shell file, live-memory collection on the IIS worker is the primary post-exploitation detection path.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-9058 Szafir SDK (KIR) qualified e-signature library 9.3 (CVSS 4.0) n/a No Not reported v463 CERT Polska
CVE-2026-5426 Digital Knowledge KnowledgeDeliver LMS (ASP.NET) n/a n/a No Yes (zero-day, pre-2026-02-24) 2026-02-24 release Mandiant GTIG

Mandiant / Google Threat Intelligence Group published an incident-response investigation into a late-2025 compromise of a web server running KnowledgeDeliver, an ASP.NET learning-management system from Japan-based Digital Knowledge that is widely deployed in Japanese enterprise and education …

ctipilot v2 brief (migrated)
vulnerability26 May 05:00Zmulti-sourceOpen finding ↗

2026-05-25 · view entry permalink →

NOTABLECVE-2026-5426exploited

CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: ViewState deserialization RCE exploited as a zero-day

Google's Threat Intelligence Group documented active zero-day exploitation of a pre-shared ASP.NET machineKey in the KnowledgeDeliver LMS that enables ViewState deserialization to unauthenticated RCE (first covered 2026-05-26; Mandiant disclosure MNDT-2026-0009). The vulnerable-component lesson generalises well beyond this APAC-deployed product: any .NET web application shipping or reusing a static machineKey across deployments inherits the same ViewState-forgery-to-RCE path. Hunt for unexpected __VIEWSTATE POST bodies that fail MAC validation and for w3wp.exe spawning command interpreters; rotate machineKey values that were ever shared or committed to source.

Google's Threat Intelligence Group documented active zero-day exploitation of a pre-shared ASP.NET machineKey in the KnowledgeDeliver LMS that enables ViewState deserialization to unauthenticated RCE (first covered 2026-05-26; Mandiant disclosure MNDT-2026-0009).

ctipilot v2 brief (migrated)
vulnerability25 May 05:00Zmulti-sourceOpen finding ↗