Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Vulnerability in KnowledgeDeliver LMS Exploited for Web Shell Deployment

Vulnerability in KnowledgeDeliver LMS Exploited for Web Shell Deployment

Posted on May 25, 2026 By CWS

A newly uncovered vulnerability in the KnowledgeDeliver Learning Management System (LMS) has been leveraged by attackers to deploy the BLUEBEAM web shell. This discovery came from Mandiant’s incident response team, which highlighted the active exploitation of this flaw.

Details of the CVE-2026-5426 Vulnerability

The vulnerability, identified as CVE-2026-5426, permits unauthenticated remote code execution (RCE) on systems with default ASP.NET settings, existing prior to February 24, 2026. KnowledgeDeliver, a platform developed by Digital Knowledge in Japan, is widely used in corporate and educational settings. An investigation into a 2025 security breach revealed that the vulnerability originated from weak cryptographic practices, specifically the reuse of ASP.NET machine keys across different installations.

Exploitation Method and Impact

Due to the hardcoded and shared nature of machineKey values, attackers could extract these keys from one instance and use them to create malicious ViewState payloads on others. This method allows for the delivery of a serialized payload via the __VIEWSTATE parameter in HTTP requests, forcing the server to deserialize untrusted data and enabling remote code execution.

This attack strategy is similar to previously recorded ViewState deserialization exploits, including those targeting Sitecore and others documented by Microsoft. The attackers used this access to deploy BLUEBEAM, a .NET-based web shell operating entirely in memory, which significantly reduces the likelihood of detection.

Further Exploitation Tactics and Defenses

Post-compromise, the attackers used icacls to modify file permissions, weakening security on the affected servers. Additionally, legitimate JavaScript files were altered to include malicious code that prompted users to install a fake security plugin, leading to further infections with the Cobalt Strike Beacon.

Detection is possible through careful monitoring of application logs for ASP.NET Event ID 1316 entries and process monitoring for unusual child processes from w3wp.exe. Network defenders should look out for abnormal User-Agent strings and file integrity issues, particularly in .js, .aspx, or .config files.

Preventive Measures and Recommended Actions

The most effective way to address this vulnerability is to immediately rotate ASP.NET machine keys to unique, secure values. Organizations should also restrict LMS access to trusted IP addresses and conduct thorough threat hunting to identify any signs of compromise.

The BLUEBEAM payload, known as “LoadLibrary.dll,” has been associated with a specific SHA-256 hash, serving as an indicator for potential compromise. This incident highlights the critical importance of secure configurations and the risks posed by shared secrets in software deployments.

Stay updated with more insights by following us on Google News, LinkedIn, and X.

Cyber Security News Tags:ASP.NET, BLUEBEAM, Cobalt Strike, CVE-2026-5426, Cybersecurity, deserialization attack, KnowledgeDeliver LMS, Malware, Mandiant, remote code execution, Security, Vulnerability, web shell

Post navigation

Previous Post: Weekly Cybersecurity Update: Major Breaches and Vulnerabilities
Next Post: Iranian Group Utilizes SEO Tactics for Malware Distribution

Related Posts

Turla’s Advanced Espionage Operations in Ukraine Uncovered Turla’s Advanced Espionage Operations in Ukraine Uncovered Cyber Security News
Critical WordPress Plugin Vulnerability Exposes 70,000+ Sites to RCE Attacks Critical WordPress Plugin Vulnerability Exposes 70,000+ Sites to RCE Attacks Cyber Security News
PLA Rapidly Deploys AI Technology Across Military Intelligence Operations PLA Rapidly Deploys AI Technology Across Military Intelligence Operations Cyber Security News
Fake RVTools Installer Exploits Certificate to Evade Security Fake RVTools Installer Exploits Certificate to Evade Security Cyber Security News
Lumma Infostealer Steal All Data Stored in Browsers and Selling Them in Underground Markets as Logs Lumma Infostealer Steal All Data Stored in Browsers and Selling Them in Underground Markets as Logs Cyber Security News
China’s Zhipu AI Matches U.S. Models in Cybersecurity China’s Zhipu AI Matches U.S. Models in Cybersecurity Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • GodDamn Ransomware Uses PoisonX to Evade Security
  • Critical Roundcube XSS Flaws Require Immediate Update
  • GigaWiper Malware: A New Threat to Windows Systems
  • AI Aids Hacker in Swift 72-Hour AWS Cloud Breach
  • Dormant GitHub Accounts Aid Corporate Reconnaissance

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • GodDamn Ransomware Uses PoisonX to Evade Security
  • Critical Roundcube XSS Flaws Require Immediate Update
  • GigaWiper Malware: A New Threat to Windows Systems
  • AI Aids Hacker in Swift 72-Hour AWS Cloud Breach
  • Dormant GitHub Accounts Aid Corporate Reconnaissance

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark