Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge, commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE), which an unknown threat actor leveraged to inject malicious code into the LMS platform, with the goal of infecting users visiting the site. This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as CVE-2026-5426.
KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads. Because these keys were identical across independent customer environments, a threat actor who obtained the keys from one deployment could compromise any other internet-facing KnowledgeDeliver instance. When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can make the server deserialize it. This technique follows the pattern of the ViewState Deserialization Zero-Day Vulnerability affecting Sitecore.
Once access was established, the threat actors focused on maintaining their presence and expanding the impact of the compromise. The threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla). This malware operates entirely in memory within the IIS worker process (w3wp.exe), making it difficult to detect through traditional file-based scanning. It allows threat actors to execute further commands and payloads by sending encrypted data via HTTP POST request bodies. The threat actor was observed executing commands to escalate their control over the web server’s file system. The threat actor modified an application JavaScript file, adding code to display a fake security alert, prompting users to install a “security authentication plugin”, and silently load a remote malicious script hosted on a threat actor-controlled domain. The remote script convinced users to download a fake installer, which led to workstations being infected with a Cobalt Strike BEACON backdoor. The payload was encrypted using a key that used the name of the compromised organization, indicating that the threat actor prepared this payload specifically for the targeted organization.
Organizations should monitor for the following indicators to identify potential ViewState exploitation and post-exploitation activity:
- Monitor the Windows Application log for Event ID 1316 from the source ASP.NET 4.0.30319.0 (or similar).
- Successful Execution (Invalid ViewState) is indicated by Event code: 4009-++-Viewstate verification failed. Reason: Viewstate was invalid. Deserialization of the payload was attempted and may have succeeded.
- Mandiant decrypted payload strings recorded in the event log messages with the server’s machine keys and recovered a payload related to a BLUEBEAM web shell.
- Additionally, monitor for unusual child processes spawned by w3wp.exe. Commands observed include: cmd.exe /c …, whoami, and powershell.exe.
- Monitor for unauthorized changes to .js, .aspx, or .config files within the web root.
- Monitor for web request logs for anomalous User-Agent strings consisting of two distinct identifiers concatenated together.
To remediate and mitigate this vulnerability, organizations should immediately generate a unique, cryptographically strong machine key for each KnowledgeDeliver instance. This is the only way to invalidate the shared secret. If possible, limit access to the LMS to known organizational IP address ranges. Organizations should also hunt for this activity and conduct a thorough investigation if any signs of exploitation are identified.