New Knowledge Deliver RCE Vulnerability Exploited in the Wild

In late 2025, Mandiant responded to a major security incident involving a compromised web server. Specifically, the affected server ran Knowledge Deliver, a popular Learning Management System in Japan. During the investigation, researchers discovered a critical Knowledge Deliver RCE vulnerability tracked as CVE-2026-5426. Initially, unknown threat actors exploited this flaw as a zero-day vulnerability. Consequently, the attackers injected malicious code into the platform to infect unsuspecting users.

The Mechanics of the Shared Key Flaw

This security loophole stems from a flaw in the system’s setup phase. Before February 24, 2026, standard system installations relied on a uniform configuration file from the vendor. Crucially, the report notes that “This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.” Because independent customer environments used identical keys, an attacker could compromise any public instance easily. Therefore, anyone who extracted the key from one server could access others. Subsequently, threat actors sent malicious HTTP requests containing custom ViewState payloads to trigger deserialization on the server.

Post-Exploitation Tactics and Malware

Once the attackers gained access, they focused on maintaining their foothold. For instance, they deployed a .NET-based in-memory web shell called BLUEBEAM. According to the report, “This malware operates entirely in memory within the IIS worker process (w3wp.exe), making it difficult to detect through traditional file-based scanning.” Thus, the attackers could execute arbitrary commands stealthily by sending encrypted HTTP POST requests. This technique allowed them to bypass standard security monitoring solutions entirely.

Furthermore, the threat actors altered the file system permissions to expand their control. They used the icacls tool to give full directory access to everyone. Additionally, they modified legitimate application JavaScript files to serve a fake security alert. This alert tricked users into downloading a malicious plugin. Ultimately, this fake installer infected employee workstations with a custom Cobalt Strike BEACON backdoor. The threat actors even tailored the encryption key to match the target organization’s name.

Defensive Actions and Threat Hunting

Organizations must immediately check their systems to mitigate this Knowledge Deliver RCE vulnerability. First, defenders should monitor Windows Application logs for Event ID 1316. This ID can reveal failed or successful ViewState verification attempts. Second, teams must watch for unusual child processes spawning from the IIS worker process.

To remediate the threat, administrators must change their current configuration settings. The report explicitly states: “Rotate Machine Keys: Immediately generate a unique, cryptographically strong machine key for each Knowledge Deliver instance.” Finally, companies can restrict system access to known corporate IP addresses to reduce exposure.

Implications for Enterprise Security

This incident demonstrates the severe dangers of using shared secrets within software deployment templates. When a vendor uses static keys, a single leak endangers the entire customer base. Therefore, modern development teams must always prioritize unique cryptographic secrets for every deployment. By implementing robust file integrity monitoring and endpoint tracking, organizations can effectively stop these dangerous deserialization attacks.