Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment

Threat actors exploited a KnowledgeDeliver zero-day vulnerability to deploy web shells and backdoors, Google-owned Mandiant reports.

A learning management system (LMS) built by Digital Knowledge, KnowledgeDeliver is widely used for enterprise and educational e-learning, mainly in Japan.

The exploited zero-day, tracked as CVE-2026-5426 (CVSS score of 7.5), existed because Digital Knowledge deployments used a standardized ‘web. config’ file that contained hardcoded ‘machineKey’ values. These keys are used by the ASP.NET framework for data encryption and signing.

The presence of the hardcoded values across independent installations allowed threat actors with knowledge of the keys to compromise other deployments by mounting ViewState deserialization attacks.

“The ASP.NET ViewState persists page state across postbacks. When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request, the threat actor can make the server deserialize it,” Mandiant explains.