CVE-2026-5426: KnowledgeDeliver LMS Hard-Coded machineKey Enables Unauthenticated RCE

Mandiant researchers responding to a compromised web server in late 2025 discovered and disclosed CVE-2026-5426, a critical remote code execution vulnerability in KnowledgeDeliver — a Learning Management System (LMS — a platform used by educational institutions and corporations to deliver, manage, and track training content) developed by Digital Knowledge and widely deployed in Japan. The root cause is a hard-coded ASP.NET machineKey (a cryptographic secret that ASP.NET uses to validate and encrypt session state and ViewState data) shared identically across all KnowledgeDeliver installations. An attacker who knows this key — which Mandiant identified and which is now publicly documented — can forge malicious ViewState payloads that the server will deserialize and execute as code, achieving unauthenticated remote code execution on any KnowledgeDeliver deployment prior to the February 24, 2026 patch. The threat actor exploited this access to inject malicious code into the LMS platform with the goal of infecting students and staff visiting the compromised site.

// 01 CVE-2026-5426: Technical Details

CVE-2026-5426 exploits the ASP.NET ViewState mechanism (ViewState — a feature of ASP.NET web applications that serializes the state of web form fields into a hidden parameter in the HTML page, so the server can reconstruct the form's state on the next request). ASP.NET uses the machineKey to sign and optionally encrypt ViewState data, preventing clients from tampering with it. If the machineKey is secret and unique per installation, this protection is effective.

Digital Knowledge shipped KnowledgeDeliver with a static, hard-coded machineKey value that was identical across every installation. This means any party who obtains the key — through reverse engineering the software, reviewing a leaked configuration, or reading published security research — can generate ViewState payloads that will pass ASP.NET's cryptographic validation.

The attack flow proceeds as follows: the attacker crafts a malicious serialized .NET object graph, signs it with the known machineKey, and submits it as the __VIEWSTATE parameter in a POST request to any KnowledgeDeliver page that processes ViewState. The ASP.NET runtime validates the signature (which passes because the attacker used the correct key), deserializes the object, and executes the attacker-controlled code — typically a web shell, a reverse shell, or a command that downloads additional payloads. No authentication is required at any step.

The CVE was published on April 16, 2026. Digital Knowledge released a patched version on February 24, 2026 — before the public CVE disclosure — that generates a unique machineKey per installation during setup, eliminating the shared-secret vulnerability. All KnowledgeDeliver installations deployed or updated before February 24, 2026 remain vulnerable unless the machineKey has been changed manually.

The SentinelOne vulnerability database entry for CVE-2026-5426 confirms the remote code execution classification. A specific CVSS v3.1 score had not been published in all sources as of this writing, but the combination of network accessibility, no authentication, no user interaction, and full code execution impact places this firmly in the Critical range (9.0+) by any standard scoring methodology.

// 02 Exploitation Status and Threat Landscape

Mandiant's incident response blog post documents a confirmed real-world compromise in late 2025 where an unknown threat actor used CVE-2026-5426 to gain persistent access to a KnowledgeDeliver-powered LMS server. The attacker's objective extended beyond the server itself: after establishing access via ViewState deserialization, the threat actor modified the LMS platform to inject malicious JavaScript into pages served to legitimate users — turning the compromised LMS into a watering hole (a watering hole attack — a strategy where attackers compromise a website frequented by their intended targets, rather than attacking those targets directly, to infect visitors passively).

This attack pattern is particularly concerning in an LMS context. Students, faculty, and employees who access a compromised KnowledgeDeliver portal may receive malicious JavaScript that attempts to exploit their browsers, steal credentials, or deliver endpoint malware — and they have no reason to distrust a site their institution operates.

The ViewState deserialization technique is well understood and has tooling support. Publicly available tools such as ysoserial.NET (a security testing utility that generates deserialization gadget chains for .NET frameworks) can generate working exploit payloads for this vulnerability class once the machineKey is known. The public disclosure of CVE-2026-5426 means that the machineKey value is likely now known to threat actors monitoring security research publications.

// 03 Who Is Affected

KnowledgeDeliver is developed by Digital Knowledge and is primarily deployed by Japanese universities and corporate training departments. However, the LMS also has international customers. All installations deployed before February 24, 2026 that have not changed the machineKey configuration are affected, regardless of the KnowledgeDeliver version number running.

Institutions that rely on KnowledgeDeliver for:

• University course delivery and student portals
• Corporate compliance and employee training
• Government agency training platforms

…should treat this as a critical finding and verify their deployment date and current machineKey configuration.

// 04 What You Should Do Right Now

• Update to the February 24, 2026 or later version of KnowledgeDeliver. Contact Digital Knowledge for the patched release. The patch generates a unique machineKey per installation, preventing exploitation.
• Manually rotate the machineKey if you cannot update immediately. Open your web.config file, locate the <machineKey> element, and replace it with a freshly generated cryptographic key. Microsoft provides instructions for generating a strong machineKey. Changing the key will invalidate all existing sessions, requiring users to log in again — this is an acceptable temporary disruption given the risk.
• Check for signs of web shell or backdoor deployment. Scan the web root and application directories for recently created or modified files with .aspx, .ashx, or .php extensions that you did not place there. Pay particular attention to files in upload directories or locations accessible without authentication.
• Review IIS access logs for ViewState exploitation attempts. Look for POST requests to KnowledgeDeliver pages with unusually large __VIEWSTATE parameters (exploit payloads are typically larger than legitimate ViewState data) or with base64-encoded content containing known gadget chain markers.
• Check for outbound connections from the web server. If exploited, the attacker likely established a reverse shell or downloaded secondary payloads. Outbound connections from the IIS application pool worker process (w3wp.exe) to non-expected destinations are a strong indicator of compromise.
• Audit JavaScript served to users. If you suspect your KnowledgeDeliver instance was compromised, verify that the JavaScript files and inline scripts served to end users match your authorized application code. Use a known-good backup as a comparison baseline.

// 05 Background: Understanding the Risk

Hard-coded cryptographic keys in commercial software are a persistent and serious vulnerability class. The machineKey in ASP.NET serves as the root of trust for the entire ViewState security model: if it is known to an attacker, every application using that key is fully compromised from a deserialization perspective. Shipping identical keys across all installations is effectively the same as shipping with no key — the theoretical protection of cryptographic signing disappears entirely.

This is not the first time shared machineKeys have been exploited at scale. In 2020, security researchers documented that Microsoft's own documentation inadvertently included example machineKey values that were copied verbatim into production web.config files by developers. Those shared keys were subsequently exploited in the wild. CVE-2026-5426 follows the same pattern: a vendor ships with a static key that was never intended to be security-sensitive but becomes trivially exploitable once known.

The targeting of an LMS platform is strategically significant. LMS platforms are accessed by large numbers of end users — often thousands of students or employees per institution — on a regular basis. A successful watering hole attack against an LMS can deliver malware to a broad population without requiring individual targeting. Academic institutions frequently have less mature security postures than equivalent-sized enterprises, making KnowledgeDeliver deployments at universities a particularly attractive target.

Mandiant's original incident response report provides full technical details including the attack timeline, the initial access vector, and the post-exploitation techniques used in the confirmed incident.

// 06 Conclusion

CVE-2026-5426 gives any attacker who reads the published research unauthenticated remote code execution on every unpatched KnowledgeDeliver installation worldwide. Organizations running KnowledgeDeliver must either apply the February 24, 2026 patch (which generates a unique machineKey per installation) or manually rotate the machineKey immediately — and audit their deployments for signs of the watering-hole compromise pattern Mandiant documented.