Written by: Takahiro Sugiyama, Peter Revelant, Mathew Potaczek
Introduction
In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site.
This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as CVE-2026-5426.
The Vulnerability
KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.
Because these keys were identical across independent customer environments, a threat actor who obtained the keys from one deployment could compromise any other internet-facing KnowledgeDeliver instance.
The following is an example of the relevant configuration line found in the web.config file:
<machineKey decryptionKey="<REDACTED>" validationKey="<REDACTED>" />The ASP.NET ViewState persists page state across postbacks. When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can make the server deserialize it.
This technique follows the pattern of the ViewState Deserialization Zero-Day Vulnerability affecting Sitecore (previously reported by Mandiant), and Code injection attacks using publicly disclosed ASP.NET machine keys reported by Microsoft. This highlights how it is critical to keep the machine key unique and secure.
Post-Exploitation Activity
Once access was established, the threat actors focused on maintaining their presence and expanding the impact of the compromise.
BLUEBEAM Web Shell Deployment
The threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla). The use of BL
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: