Skip to content
.ca
sign in
6 mincritical

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability

A critical ViewState deserialization vulnerability (CVE-2026-5426) in the KnowledgeDeliver LMS allows unauthenticated remote code execution due to shared ASP.NET machine keys across deployments. Threat actors are actively exploiting this flaw to deploy the BLUEBEAM in-memory web shell and modify application JavaScript, ultimately distributing targeted Cobalt Strike BEACON payloads to end-users visiting the compromised sites.

Sens:ImmediateConf:highAnalyzed:2026-05-25Google

Authors: Takahiro Sugiyama, Peter Revelant, Mathew Potaczek

ActorsBLUEBEAMGodzillaCobalt Strike BEACON
CVE-2026-5426KnowledgeDeliverCobalt StrikeViewState DeserializationBLUEBEAM

Source:Mandiant

IOCs · 2

Detection / HunterGoogle

What Happened

A popular learning management system called KnowledgeDeliver has a critical security flaw that allows hackers to take control of the server. The attackers use this access to secretly alter the website's code, showing fake security alerts to people visiting the site. If users click these alerts, their computers get infected with malicious software. Organizations using this system need to immediately update their security keys and check for signs of a breach. Users should be cautious of unexpected pop-ups asking them to install security plugins.

Key Takeaways

  • KnowledgeDeliver LMS installations deployed before Feb 24, 2026, are vulnerable to RCE (CVE-2026-5426) due to hardcoded ASP.NET machine keys.
  • Threat actors exploit this vulnerability to deploy the in-memory BLUEBEAM (Godzilla) web shell within the IIS worker process.
  • Post-exploitation involves modifying application JavaScript to serve fake security alerts to end-users.
  • Users who click the fake alerts download an installer that infects their workstations with a targeted Cobalt Strike BEACON backdoor.
  • Detection relies heavily on monitoring ASP.NET Event ID 1316 for ViewState integrity failures and tracking suspicious child processes of w3wp.exe.

Affected Systems

  • KnowledgeDeliver LMS installations deployed before Feb. 24, 2026
  • ASP.NET web applications utilizing the default vendor-provided web.config

Vulnerabilities (CVEs)

  • CVE-2026-5426

Attack Chain

The attacker exploits CVE-2026-5426 by sending a malicious ViewState payload to a vulnerable KnowledgeDeliver instance, achieving remote code execution. They then deploy the BLUEBEAM in-memory web shell within the IIS worker process (w3wp.exe) to maintain access. Using this access, the attacker modifies file permissions and injects malicious JavaScript into the web application to serve fake security alerts to visitors. When users click these alerts, they download a fake installer that infects their workstations with a Cobalt Strike BEACON backdoor.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Google Security Operations (SecOps)

The article provides Google SecOps (YARA-L) search queries to identify Event ID 1316 (ViewState verification failures) and suspicious child processes spawned by w3wp.exe.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can effectively monitor child processes of w3wp.exe (like cmd.exe, whoami, powershell.exe) and track file modifications in the web root. Network Visibility: Medium — Network monitoring can detect anomalous concatenated User-Agent strings and potentially the download of Cobalt Strike payloads, though the initial ViewState payload and BLUEBEAM C2 traffic are likely encrypted. Detection Difficulty: Moderate — While the in-memory BLUEBEAM web shell evades traditional file scanning, the resulting process executions (w3wp.exe spawning cmd.exe) and specific ASP.NET Event ID 1316 errors provide reliable detection opportunities.

Required Log Sources

  • Windows Application Event Logs (Event ID 1316)
  • Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
  • Web Server Access Logs (IIS)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for ASP.NET Event ID 1316 in the Windows Application log with Event code 4009, which may indicate attempted or successful ViewState deserialization attacks.Windows Application Event LogsInitial AccessLow to Medium (Some legitimate application errors might cause ViewState integrity failures, but spikes or specific payload patterns are highly suspicious)
If you have visibility into process ancestry, consider hunting for the IIS worker process (w3wp.exe) spawning suspicious child processes such as cmd.exe, powershell.exe, or whoami.Process Creation Logs (EDR/Sysmon)ExecutionLow (w3wp.exe should rarely spawn interactive command shells in a production environment)
Consider hunting for anomalous, concatenated User-Agent strings in web access logs, which may indicate automated exploitation tools targeting ViewState vulnerabilities.Web Server Access LogsInitial AccessLow (Legitimate browsers do not typically concatenate multiple distinct User-Agent strings)

Control Gaps

  • Lack of unique cryptographic keys across deployments
  • Insufficient File Integrity Monitoring on web roots

Key Behavioral Indicators

  • Anomalous concatenated User-Agent strings in web access logs (e.g., two distinct browser UAs combined).
  • w3wp.exe spawning cmd.exe, powershell.exe, or whoami.
  • Unexpected modifications to .js, .aspx, or .config files in the web root.
  • Use of icacls to grant 'Everyone' full access to web directories.

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Immediately generate and apply a unique, cryptographically strong machine key for each KnowledgeDeliver instance to invalidate the shared secret.
  • Review Windows Application logs for Event ID 1316 (Event code 4009) to identify potential exploitation attempts.
  • Inspect the web root for unauthorized modifications to .js, .aspx, and .config files.

Infrastructure Hardening

  • Consider restricting access to the KnowledgeDeliver LMS to known organizational IP address ranges where feasible.
  • Implement File Integrity Monitoring (FIM) on critical web application directories to detect unauthorized tampering.
  • Ensure web application directories operate with the principle of least privilege, preventing the IIS worker process from modifying its own executable files or scripts.

User Protection

  • If your EDR supports it, ensure behavioral rules are enabled to detect suspicious child processes spawned by web server processes.
  • Deploy endpoint protection capable of detecting and blocking Cobalt Strike BEACON executions.

Security Awareness

  • Educate users to be wary of unexpected prompts to install 'security authentication plugins' or similar software while browsing internal or external applications.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1505.003 - Server Software Component: Web Shell
  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  • T1189 - Drive-by Compromise

Additional IOCs

  • Command Lines:
    • Purpose: Modify web application directory permissions to grant full access to Everyone | Tools: icacls | Stage: Persistence / Defense Evasion | icacls
    • Purpose: Execute reconnaissance and follow-on commands via the deployed web shell | Tools: cmd.exe, whoami, powershell.exe | Stage: Execution | cmd.exe /c

Related