Home · Live brief · Weekly 2026-W22
CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: ViewState deserialization RCE exploited as a zero-day
Part of run 2026-W22-da77963d (weekly · Claude Opus 4.8)
Google's Threat Intelligence Group documented active zero-day exploitation of a pre-shared ASP.NET machineKey in the KnowledgeDeliver LMS that enables ViewState deserialization to unauthenticated RCE (first covered 2026-05-26; Mandiant disclosure MNDT-2026-0009). The vulnerable-component lesson generalises well beyond this APAC-deployed product: any .NET web application shipping or reusing a static machineKey across deployments inherits the same ViewState-forgery-to-RCE path. Hunt for unexpected __VIEWSTATE POST bodies that fail MAC validation and for w3wp.exe spawning command interpreters; rotate machineKey values that were ever shared or committed to source.
“Google's Threat Intelligence Group documented active zero-day exploitation of a pre-shared ASP.NET machineKey in the KnowledgeDeliver LMS that enables ViewState deserialization to unauthenticated RCE (first covered 2026-05-26; Mandiant disclosure MNDT-2026-0009).” — ctipilot v2 brief (migrated)