{"uuid": "3c9e3be4-7669-4e4a-adb1-5eebce0fddd6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://swecyb.com/ap/users/116080658609901341/statuses/116633539838473469", "content": "(google.com) Exploitation of KnowledgeDeliver via ASP.NET ViewState Deserialization Vulnerability Leading to RCE\nCritical zero-day RCE vulnerability (CVE-2026-5426) in KnowledgeDeliver LMS exploited via ASP.NET ViewState deserialization using hardcoded machine keys. Threat actors deployed BLUEBEAM web shell and Cobalt Strike BEACON post-exploitation.\nIn brief - Mandiant uncovered a zero-day RCE flaw in Japan\u2019s KnowledgeDeliver LMS, exploited via identical hardcoded ASP.NET machine keys. Attackers used ViewState deserialization to deploy in-memory web shells and Cobalt Strike, emphasizing risks of shared cryptographic secrets.\nTechnically - CVE-2026-5426 enables unauthenticated RCE via malicious ViewState payloads due to identical `machineKey` values in `web.config`. Post-exploitation involved BLUEBEAM (in-memory IIS web shell), `icacls` privilege escalation, JavaScript file tampering, and Cobalt Strike BEACON. Detection: monitor Event ID 1316 (ViewState failures), suspicious `w3wp.exe` child processes, and anomalous User-Agents. Remediation: rotate machine keys to unique, strong values and restrict LMS access.\nSource: https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/\n#Cybersecurity #ThreatIntel", "creation_timestamp": "2026-05-25T07:37:14.765437Z"}