216.73.216.133

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability

· Published 25/05/2026 10:08 · Modified 25/05/2026 10:51

Export JSON

Essential information

Published
25/05/2026 10:08
Modified
25/05/2026 10:51
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
bluebeam bluebeam web shell cobalt strike viewstate deserialization zero-day exploitation
Tags
2026-05-25 bluebeam bluebeam web shell cobalt strike viewstate deserialization zero-day exploitation
Related entities
1 vulnerabilities (cve), 1 indicators, 1 observables, 20 techniques (mitre), 3 malware, 2 others

Description

In late 2025, an unknown threat actor exploited a critical zero-day vulnerability in KnowledgeDeliver, a Learning Management System widely used in Japan. The vulnerability, tracked as CVE-2026-5426, allowed unauthenticated remote code execution through attacks. The issue stemmed from identical hardcoded ASP.NET machine keys distributed across multiple customer deployments in the vendor's configuration files. Attackers obtained these keys from one deployment and used them to compromise other internet-facing instances. Following initial access, threat actors deployed the in-memory web shell, modified JavaScript files to display fake security alerts, and tricked users into installing malicious software that delivered BEACON backdoors. The attack demonstrates the severe risks of shared secrets in deployment templates and highlights the importance of unique cryptographic keys per installation.

External references