A newly uncovered vulnerability in the KnowledgeDeliver Learning Management System (LMS) has been leveraged by attackers to deploy the BLUEBEAM web shell. This discovery came from Mandiant’s incident response team, which highlighted the active exploitation of this flaw.
Details of the CVE-2026-5426 Vulnerability
The vulnerability, identified as CVE-2026-5426, permits unauthenticated remote code execution (RCE) on systems with default ASP.NET settings, existing prior to February 24, 2026. KnowledgeDeliver, a platform developed by Digital Knowledge in Japan, is widely used in corporate and educational settings. An investigation into a 2025 security breach revealed that the vulnerability originated from weak cryptographic practices, specifically the reuse of ASP.NET machine keys across different installations.
Exploitation Method and Impact
Due to the hardcoded and shared nature of machineKey values, attackers could extract these keys from one instance and use them to create malicious ViewState payloads on others. This method allows for the delivery of a serialized payload via the __VIEWSTATE parameter in HTTP requests, forcing the server to deserialize untrusted data and enabling remote code execution.
This attack strategy is similar to previously recorded ViewState deserialization exploits, including those targeting Sitecore and others documented by Microsoft. The attackers used this access to deploy BLUEBEAM, a .NET-based web shell operating entirely in memory, which significantly reduces the likelihood of detection.
Further Exploitation Tactics and Defenses
Post-compromise, the attackers used icacls to modify file permissions, weakening security on the affected servers. Additionally, legitimate JavaScript files were altered to include malicious code that prompted users to install a fake security plugin, leading to further infections with the Cobalt Strike Beacon.
Detection is possible through careful monitoring of application logs for ASP.NET Event ID 1316 entries and process monitoring for unusual child processes from w3wp.exe. Network defenders should look out for abnormal User-Agent strings and file integrity issues, particularly in .js, .aspx, or .config files.
Preventive Measures and Recommended Actions
The most effective way to address this vulnerability is to immediately rotate ASP.NET machine keys to unique, secure values. Organizations should also restrict LMS access to trusted IP addresses and conduct thorough threat hunting to identify any signs of compromise.
The BLUEBEAM payload, known as “LoadLibrary.dll,” has been associated with a specific SHA-256 hash, serving as an indicator for potential compromise. This incident highlights the critical importance of secure configurations and the risks posed by shared secrets in software deployments.
Stay updated with more insights by following us on Google News, LinkedIn, and X.
