Ethical Hacking News
In a recent security incident, an unknown threat actor exploited a critical vulnerability in KnowledgeDeliver, a popular Learning Management System (LMS) used by organizations in Japan. The attack highlighted the severe risks of using identical pre-shared ASP.NET machine keys across independent customer deployments. Organizations are advised to rotate their machine keys immediately and restrict access to the LMS to known organizational IP address ranges.
The exploitation of KnowledgeDeliver's LMS exposed a critical vulnerability in using shared machine keys across multiple customer deployments. A zero-day vulnerability was identified, allowing threat actors to access and compromise other instances with identical pre-shared ASP.NET machine keys. Threat actors deployed a .NET-based in-memory web shell called BLUEBEAM to maintain presence and expand impact on the compromised server. File tampering was used to load and execute malicious code, allowing persistence on the compromised server. Organizations are advised to rotate machine keys immediately and restrict access to the LMS to known IP address ranges.
The recent exploitation of the KnowledgeDeliver Learning Management System (LMS) by an unknown threat actor has shed light on a critical vulnerability in the use of shared machine keys across multiple customer deployments. The attack, which was initially reported as a zero-day, has highlighted the severe risks of using identical pre-shared ASP.NET machine keys across independent customer environments.
KnowledgeDeliver is a popular LMS developed by Digital Knowledge commonly used in Japan, and its widespread adoption has made it an attractive target for threat actors seeking to exploit vulnerabilities in web applications. The vulnerability exploited in this attack stems from the use of standardized web.config files provided by the vendor, which contain hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.
The compromised web server running KnowledgeDeliver was found to have identical pre-shared ASP.NET machine keys across multiple customer deployments. This allowed a threat actor who obtained the keys from one deployment to compromise any other internet-facing KnowledgeDeliver instance. The vulnerability was initially reported as CVE-2026-5426, and it has been identified as a zero-day vulnerability.
Once access was established, the threat actors focused on maintaining their presence and expanding the impact of the compromise. They deployed a .NET-based in-memory web shell called BLUEBEAM, which operates entirely within the IIS worker process (w3wp.exe), making it difficult to detect through traditional file-based scanning. The use of BLUEBEAM is consistent with Microsoft reporting.
The threat actor was also observed executing commands to escalate their control over the web server's file system. File tampering was a notable aspect of this attack, as the threat actor used the LoadLibrary function to load and execute malicious code in the context of the w3wp.exe process. This allowed them to maintain persistence on the compromised server.
The exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability is a critical example of the severe risks associated with using shared secrets in deployment templates. A single leaked key can compromise an entire ecosystem of installations, highlighting the importance of implementing unique and secure machine keys.
In response to this vulnerability, organizations are advised to rotate their machine keys immediately and restrict access to the LMS to known organizational IP address ranges. Investigation is also recommended to hunt for signs of exploitation, and conduct a thorough investigation if any indicators of compromise (IOCs) are identified.
The knowledge gained from this attack will help organizations defend against deserialization attacks in the future. By implementing unique secrets and robust endpoint monitoring, organizations can mitigate the risks associated with shared machine keys.
Related Information:
https://www.ethicalhackingnews.com/articles/The-KnowledgeDeliver-Web-Shell-Attack-A-Comprehensive-Analysis-of-the-Exploitation-of-ASPNET-ViewState-Vulnerability-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2026-5426
https://www.cvedetails.com/cve/CVE-2026-5426/
Published: Mon May 25 00:37:03 2026 by llama3.2 3B Q4_K_M
