Digital Knowledge KnowledgeDeliver LMS pre-shared ASP.NET machineKey ViewState deserialization RCE

cve · CVE-2026-5426

Coverage timeline

first 2026-05-26 → last 2026-05-26

Briefs

1 distinct

Sources cited

41 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-05-26CTI Daily Brief — 2026-05-26
trending_vulnsFirst coverage: zero-day pre-2026-02-24; BLUEBEAM in-memory web shell; watering-hole; Mandiant GTIG

Where this entity is cited

trending_vulns1

Source distribution

attack.mitre.org10 (16%)
therecord.media4 (6%)
thehackernews.com3 (5%)
digital-strategy.ec.europa.eu2 (3%)
helpnetsecurity.com2 (3%)
krebsonsecurity.com2 (3%)
microsoft.com2 (3%)
nvd.nist.gov2 (3%)
other35 (56%)

Related entities

Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)
annual-reportannual-report:gtig-europe-2025×1

External references

NVD · cve.org · CISA KEV

All cited sources (62)

Items in briefs about Digital Knowledge KnowledgeDeliver LMS pre-shared ASP.NET machineKey ViewState deserialization RCE (1)

CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET `machineKey` enables ViewState deserialization RCE, exploited as a zero-day

From CTI Daily Brief — 2026-05-26 · published 2026-05-26 · view item permalink →

Mandiant / Google Threat Intelligence Group published an incident-response investigation into a late-2025 compromise of a web server running KnowledgeDeliver, an ASP.NET learning-management system from Japan-based Digital Knowledge that is widely deployed in Japanese enterprise and education environments (Google Threat Intelligence Group, 2026-05-25; Mandiant Vulnerability Disclosures MNDT-2026-0009). The root cause (CVE-2026-5426) is identical pre-shared ASP.NET machineKey values shipped across all customer installations by default: any party who recovers the hardcoded key from one instance can forge a valid signed/encrypted ViewState payload and replay it against any other deployment. Because ASP.NET ViewState is deserialized through ObjectStateFormatter → BinaryFormatter, a forged payload yields arbitrary .NET object-graph deserialization and remote code execution (T1190). Mandiant states the flaw was exploited as a zero-day prior to the 2026-02-24 patch.

Post-exploitation, the actor deployed BLUEBEAM (a variant of the Godzilla web shell) that runs entirely inside the IIS worker process w3wp.exe — no shell file on disk — receiving commands over encrypted HTTP POST (T1505.003, T1071.001), then injected content into the LMS to mount a watering-hole attack against its users (T1189). Targeting is Japan-primary, but the transferable lesson is broad and urgent for CH/EU public-sector .NET estates: audit every ASP.NET application for shared or default machineKey values and rotate to unique, cryptographically strong per-deployment keys — there is no default-config toggle that removes the shared-key risk. Hunt for Windows Application-log Event ID 1316 (ViewState validation failure — Mandiant notes even successful exploitation generated these) on LMS-adjacent web servers, and for w3wp.exe spawning cmd.exe/powershell.exe/cscript.exe or making unexpected outbound connections (Sysmon EID 1 with a parent-image filter on w3wp.exe). Because BLUEBEAM is memory-resident with no on-disk shell file, live-memory collection on the IIS worker is the primary post-exploitation detection path.

CVE Summary Table

CVE	Product	CVSS	EPSS	KEV	Exploited	Patch	Source
CVE-2026-9058	Szafir SDK (KIR) qualified e-signature library	9.3 (CVSS 4.0)	n/a	No	Not reported	v463	CERT Polska
CVE-2026-5426	Digital Knowledge KnowledgeDeliver LMS (ASP.NET)	n/a	n/a	No	Yes (zero-day, pre-2026-02-24)	2026-02-24 release	Mandiant GTIG