Summary
Google's Mandiant says threat actors weaponized a zero-day in KnowledgeDeliver, a learning management system from Japanese vendor Digital Knowledge, to deploy in-memory web shells and a tailored Cobalt Strike backdoor. The flaw, tracked as CVE-2026-5426 (CVSS 7.5), stems from a hardcoded ASP.NET machineKey that shipped in a standardized web.config and was reused across independent installations. Knowing that shared key, an unauthenticated attacker can forge a malicious ViewState payload that the server deserializes, leading to remote code execution. Every KnowledgeDeliver deployment provisioned before February 24, 2026 is considered affected.
Background on the vulnerability
KnowledgeDeliver is widely used for enterprise and educational e-learning across Japan. According to Mandiant's advisory MNDT-2026-0009, deployments were configured with a pre-shared ASP.NET machine key. In ASP.NET, the machineKey is what the framework uses to encrypt and sign serialized state such as ViewState. When the same key is baked into many independent installations, the secret that is supposed to make ViewState tamper-proof becomes public knowledge to anyone who has seen one deployment.
The issue is classified as CWE-502: Deserialization of Untrusted Data, with a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. As of mid-April 2026 the NVD entry for CVE-2026-5426 was still awaiting enrichment, describing it simply as a hard-coded ASP.NET/IIS key issue. The CVE.org record tracks the same identifier.
Mandiant lists the conditions required for exploitation:
- The default ASP.NET machine key was never changed by the organization.
- The application is reachable by the attacker (i.e., exposed to the internet).
How the attack works
With a valid (and in this case, publicly reused) machine key, an attacker can build a ViewState blob that passes the server's integrity checks. The server then deserializes the attacker-controlled object on receipt, which is the moment arbitrary code gets executed. Mandiant notes this is the same ViewState deserialization technique that has previously been turned against products like Sitecore and CentreStack, and that is commonly paired with the Godzilla web shell framework. Malicious payloads observed in the wild were crafted using the specific machine key present in deployments up until February 24, 2026, and they yielded OS-level remote code execution.
In the intrusions Mandiant investigated, the deserialization attack dropped in-memory Godzilla web shells (also referred to as Bluebeam), giving the operators an interactive channel to run additional commands. From there the attackers:
- Altered permissions on the web application directory.
- Modified a JavaScript file so it pulled in a malicious script and rendered a fake security alert.
- Used that alert to push users into installing a bogus browser plugin.
- Delivered a Cobalt Strike backdoor as the final payload.
Because the Cobalt Strike payload was encrypted with a key that embedded the victim's name, Mandiant assessed it had been built specifically for that target rather than sprayed indiscriminately.
Proof of concept
A public proof-of-concept for CVE-2026-5426 is available at HORKimhab/CVE-2026-5426. The author states it is for authorized penetration testing and security research only. The tool reproduces the ViewState deserialization path — single-target and bulk scanning, command execution, gadget selection, an interactive shell, and even automated Bluebeam web shell deployment:
git clone <repository-url>
cd <repository-name>
# Test a single target for vulnerability
python cve-2026-5426.py -t https://example.com
# Scan multiple targets from a file
python cve-2026-5426.py -t targets.txt
# Execute a command on a vulnerable target
python cve-2026-5426.py -t https://example.com -c "whoami"
# Execute a complex command
python cve-2026-5426.py -t https://example.com -c "ipconfig /all"
# Use a specific gadget type
python cve-2026-5426.py -t https://example.com -c "whoami" -g "WindowsIdentity"
# Interactive shell mode
python cve-2026-5426.py -t https://example.com --interactive
# Deploy a BLUEBEAM web shell
python cve-2026-5426.py -t https://example.com --deploy-shell
Disclosure timeline
Mandiant's coordinated disclosure with the vendor unfolded as follows:
- 2026-01-19 — Initial call with Digital Knowledge to report the issue.
- 2026-02-24 — Digital Knowledge rolled out an updated deployment procedure to address the flaw.
- 2026-03-18 — Follow-up call with Digital Knowledge to discuss public disclosure.
Detection and mitigation
The core fix is to stop relying on a shared secret. Mandiant recommends:
- Generate a unique, cryptographically strong
machineKeyfor every KnowledgeDeliver instance rather than using the value that shipped in the standardized configuration. - Rotate machine keys on any deployment that may have used the pre-shared value.
- Restrict access to the LMS so the application is not openly reachable by attackers on the internet.
Mandiant has published indicators of compromise to help defenders hunt for Godzilla/Bluebeam web shell activity and the tailored Cobalt Strike loader. Treat any KnowledgeDeliver instance provisioned before February 24, 2026 as potentially exposed until its keys are rotated.
Full details are in the Google Cloud / Mandiant threat intelligence write-up, the Mandiant vulnerability disclosure (MNDT-2026-0009), and the vendor's KnowledgeDeliver product page.