CVE-2026-5426: Zero-Day KnowledgeDeliver RCE (CVSS 7.5)

This post details CVE-2026-5426, a severe vulnerability in Digital Knowledge KnowledgeDeliver Learning Management System (LMS). This flaw, assigned a CVSS score of 7.5, allowed for unauthenticated remote code execution (RCE) via ViewState deserialization due to hard-coded ASP.NET machine keys.

The vulnerability was actively exploited as a zero-day to compromise affected LMS instances. Threat actors used this access to deploy the Godzilla web shell and distribute Cobalt Strike Beacon to users visiting the compromised platforms.

The widespread use of KnowledgeDeliver in Japan made this vulnerability a concern for organizations using the platform. Mandiant and Google Threat Intelligence Group (GTIG) provided insights into observed in-the-wild exploitation, describing the full attack chain.

What is CVE-2026-5426?

CVE-2026-5426 is a severe security vulnerability in Digital Knowledge KnowledgeDeliver that enables unauthenticated remote code execution (RCE). The flaw stems from the platform's use of hard-coded ASP.NET machineKey values in its web.config file. This standardization across installations meant that if an attacker obtained the machineKey from one instance, they could exploit any other internet-facing KnowledgeDeliver deployment using the same keys.

This vulnerability is severe. It offers a direct path to server compromise without authentication, allowing attackers to execute arbitrary code with the web application's privileges. Its CVSS score of 7.5 reflects this severity. Confirmed zero-day exploitation shows the immediate risk to affected systems.

Impact

Attackers exploiting CVE-2026-5426 can achieve unauthenticated Remote Code Execution on the target Digital Knowledge KnowledgeDeliver server. This access permits attackers to deploy persistent artifacts, like the Godzilla (also known as BLUEBEAM) web shell, controlling the web server's file system. Observed actions include granting "Everyone" complete access to the web application directory, which shows an intent to broaden access and persistence.

The risk extends beyond server compromise to LMS end-users. Attackers tampered with application JavaScript files to display fake security alerts, urging users to install a "security authentication plugin." These unauthorized modifications facilitated stealthy loading of malicious scripts from attacker-controlled domains, leading to fake installer downloads. This attack chain infected user machines with Cobalt Strike Beacon, a post-exploitation agent. Cobalt Strike payloads were encrypted using keys incorporating the compromised organization's name, indicating a targeted approach. Organizations in Japan, where KnowledgeDeliver is popular, faced heightened risk, and any internet-facing instance was a potential target.

Exploitation Chain Analysis

Exploitation of CVE-2026-5426 uses a fundamental design flaw in how KnowledgeDeliver handles ASP.NET machineKey values. The attack vector is unauthenticated remote code execution via ViewState deserialization. The vulnerability's core precondition is hard-coded machineKey values in the web.config file, standardized across numerous KnowledgeDeliver installations. This enabled an attacker to retrieve the machineKey from one exposed instance and then craft malicious ViewState payloads to compromise other vulnerable, internet-facing systems. For additional context on this attack technique, our prior analysis of Sitecore RCE vulnerabilities explores similar ViewState deserialization methods.

Once the machineKey is known, an attacker can create a specially crafted ViewState payload. This malicious payload, when sent to the server via the __VIEWSTATE parameter in an HTTP request, causes the server to deserialize it, leading to arbitrary code execution.

In observed in-the-wild exploitation documented by Mandiant and Google Threat Intelligence Group (GTIG), attackers followed a multi-stage process:

  1. Initial Access: Exploitation of CVE-2026-5426 provided unauthenticated RCE on the KnowledgeDeliver LMS server.
  2. Web Shell Deployment: Attackers deployed the Godzilla web shell (also known as BLUEBEAM). This gives remote command execution capabilities on the compromised server. Deploying such tools is a common objective for attackers seeking persistent access and control, as discussed in our research on React2shell RCE vulnerabilities.
  3. Privilege Escalation/Persistence: Commands were executed to escalate control over the web server's file system, specifically by granting "Everyone" complete access to the web application directory. This step facilitates further malicious activity and helps ensure web shell functionality.
  4. Malicious Script Injection: The threat actor tampered with an application JavaScript file on the LMS platform. This injected code served two purposes:
  • Displaying a fake security alert, prompting users to install a "security authentication plugin."
  • Stealthily loading an additional malicious script from an attacker-controlled domain.
  1. User Infection: The malicious script, hosted externally, prompted users to download a fake installer. This infected end-user machines with Cobalt Strike Beacon. Payloads for Cobalt Strike Beacon were specifically crafted for the targeted organization, using the compromised organization's name in the encryption key. This customization suggests a deliberate and focused campaign.

This exploitation chain shows a progression from server compromise to client-side infection, using a single severe vulnerability to achieve multiple malicious objectives. Microsoft previously documented the abuse of publicly disclosed ASP.NET machine keys in February 2025, showing this vector was already a recognized threat.

Which KnowledgeDeliver versions are affected?

CVE-2026-5426 affects Digital Knowledge KnowledgeDeliver LMS. The vulnerability impacts all KnowledgeDeliver deployments released prior to February 24, 2026.

Specifically, instances that rely on the vendor-provided web.config file containing hard-coded machineKey values are vulnerable. These standardized keys enable attackers, who obtain the key from one deployment, to compromise other internet-facing instances.

Detection Mechanisms

Detecting exploitation attempts and successful compromises related to CVE-2026-5426 requires full logging and monitoring. Focus on unusual web requests, file system changes, and outbound network connections from the KnowledgeDeliver server.

  • Network Indicators:
  • Monitor for HTTP requests to KnowledgeDeliver instances containing large or malformed __VIEWSTATE parameters, especially those originating from unusual or untrusted IP addresses.
  • Look for outbound network connections from the LMS server to unfamiliar external IP addresses or domains. These could indicate Cobalt Strike C2 communications, download of additional attacker tools, or malicious JavaScript loading from attacker-controlled infrastructure.
  • Analyze DNS queries for newly resolved, suspicious domains.
  • Host-Based Indicators (LMS Server):
  • File Integrity Monitoring (FIM): Implement FIM on the KnowledgeDeliver web application directory. Alert on unauthorized modifications to critical files, including:
  • web.config (for changes to machineKey or other sensitive configurations).
  • .aspx, .ascx, .cshtml, or other web application source files.
  • JavaScript files (e.g., those found to be tampered with to inject malicious scripts).
  • The creation of new, unexpected files with common web shell extensions (.aspx, .jsp, .php, etc.) or obfuscated names. The presence of Godzilla web shell artifacts should trigger immediate alerts.
  • Process Monitoring: Monitor for suspicious processes spawned by the web server process (e.g., w3wp.exe for IIS). Look for:
  • Execution of command-line interpreters (e.g., cmd.exe, powershell.exe) with unusual or encoded arguments.
  • Execution of system utilities for file manipulation (copy, move, ren, icacls, cacls) or network activity (curl, wget).
  • Attempts to modify directory permissions, such as granting "Everyone" write access to the web application directory.
  • Log Analysis: Review IIS logs (or equivalent for other web servers) for:
  • Failed authentication attempts that might precede RCE attempts.
  • HTTP requests with unusually large or crafted __VIEWSTATE parameters.
  • Access to newly created or modified web shell files.
  • Error logs that might indicate deserialization failures or unexpected process exits.
  • EDR/Antivirus Alerts: Configure Endpoint Detection and Response (EDR) and antivirus solutions to detect known Godzilla (aka BLUEBEAM) web shell signatures, Cobalt Strike Beacon implants, and suspicious file operations or process executions on the LMS server.
  • Client-Side Indicators (End-User Machines):
  • Monitor for user downloads of unusual or unsigned executable files prompted by web browser activity, especially after visiting KnowledgeDeliver pages.
  • Look for the execution of Cobalt Strike Beacon artifacts or related malicious payloads on user workstations.
  • Detect unexpected pop-ups or security alerts from within the browser that are not typical for the organization's security software.

Remediation Strategies

Immediate, thorough remediation is required for CVE-2026-5426 and any potential ongoing compromise. Take the following steps:

  • Patching: Apply the security update released by Digital Knowledge on or after February 24, 2026. This patch directly addresses the underlying vulnerability by resolving the hard-coded machineKey issue. Verify that the patch has been successfully applied and that the web.config file no longer contains default or easily guessable machineKey values.
  • Machine Key Regeneration: If the patch does not automatically update the machineKey, manually regenerate unique, cryptographically strong machineKey values for each KnowledgeDeliver instance. Ensure these keys are unique per deployment and not shared. This step prevents future exploitation through known machineKey values, a risk Microsoft showed regarding ASP.NET applications.
  • Threat Hunting and Incident Response:
  • Scan for Web Shells: Conduct a full scan of the KnowledgeDeliver server's file system for web shells, specifically Godzilla (aka BLUEBEAM), and any other unauthorized files or modifications. Remove all identified malicious artifacts.
  • Identify Compromise Extent: Determine if the attackers were able to establish persistence mechanisms beyond the web shell, such as scheduled tasks, new user accounts, or modified system services.
  • User Workstation Analysis: Investigate end-user workstations that accessed the compromised LMS during the exploitation window for Cobalt Strike Beacon infections or other malware.
  • Reset Credentials: Reset any credentials that may have been exposed or compromised on the affected LMS server.
  • Security Configuration Review:
  • Least Privilege: Review and enforce the principle of least privilege for the web application's service account and directory permissions. Remove any overly permissive access, such as "Everyone" having full control over the web application directory.
  • Network Segmentation: Implement or strengthen network segmentation to limit the exposure of the LMS instance to the internet and restrict its ability to make outbound connections to untrusted destinations.
  • Web Application Firewall (WAF): Deploy or tune a WAF to detect and block suspicious requests, including those with malformed ViewState payloads, though this is a compensating control and not a replacement for patching.
  • Enhanced Monitoring: Increase logging verbosity and enhance monitoring for the detection indicators listed previously. This includes detailed web server logs, process execution logs, and network traffic analysis.

Technical Takeaways

  • CVE-2026-5426 is a severe (CVSS 7.5) unauthenticated Remote Code Execution vulnerability in Digital Knowledge KnowledgeDeliver LMS.
  • The root cause is hard-coded ASP.NET machineKey values, allowing ViewState deserialization attacks by any actor possessing these shared keys.
  • This flaw was actively exploited as a zero-day to deploy Godzilla web shells on compromised servers, followed by the injection of malicious JavaScript to distribute Cobalt Strike Beacon to end-users.
  • Successful exploitation led to full control over the web application and subsequent client-side infection, targeting organizations specifically through tailored Cobalt Strike payloads.
  • Immediate patching of KnowledgeDeliver deployments to versions released on or after February 24, 2026, is essential. Strong machineKey regeneration is also required to mitigate the risk.