Threat Research

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability

GoogleCloudIntel
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
Mandiant investigated a compromise of KnowledgeDeliver, a Japanese LMS from Digital Knowledge, caused by a shared ASP.NET machine key weakness that enabled unauthenticated RCE and was tracked as CVE-2026-5426. The threat actor deployed the BLUEBEAM web shell, tampered with web files, and lured users into installing a fake plugin that ultimately delivered Cobalt Strike BEACON. #KnowledgeDeliver #DigitalKnowledge #BLUEBEAM #CobaltStrike #CVE-2026-5426

Keypoints

  • Mandiant responded to a security incident involving a compromised KnowledgeDeliver web server.
  • The root cause was identical pre-shared ASP.NET machine keys across multiple customer deployments.
  • The issue enabled unauthenticated remote code execution and was tracked as CVE-2026-5426.
  • The threat actor used ViewState deserialization by crafting malicious payloads through the __VIEWSTATE parameter.
  • BLUEBEAM, a .NET in-memory web shell also known as Godzilla, was deployed to maintain access and execute commands.
  • The attacker modified JavaScript to show a fake security alert and load a remote malicious script.
  • The campaign ended with workstation infection via a fake installer that delivered Cobalt Strike BEACON.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attacker exploited the KnowledgeDeliver web server through a public-facing vulnerability to gain unauthenticated RCE. [‘A critical vulnerability that allowed unauthenticated Remote Code Execution (RCE).’]
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The attacker ran commands such as icacls, whoami, and cmd.exe /c through the web server process. [‘Commands observed include: cmd.exe /c … whoami powershell.exe’]
  • [T1055] Process Injection – BLUEBEAM operated entirely in memory within the IIS worker process, making its activity harder to detect. [‘This malware operates entirely in memory within the IIS worker process (w3wp.exe).’]
  • [T1105] Ingress Tool Transfer – A remote malicious script was loaded from a threat actor-controlled domain and a fake installer was used to deliver additional payloads. [‘Silently load a remote malicious script hosted on a threat actor-controlled domain.’]
  • [T1112] Modify Registry or File Permissions – The attacker used icacls to grant Everyone full access to the web application directory. [‘Permission Modification: The threat actor used icacls to grant “Everyone” full access to the web application directory.’]
  • [T1505.003] Server Software Component: Web Shell – The actor deployed the BLUEBEAM web shell to execute further commands via HTTP POST requests. [‘The threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla).’]
  • [T1056.001] Input Capture: Keylogging – The fake security alert prompted users to install a “security authentication plugin,” tricking them into executing the malicious flow. [‘Display a fake security alert, prompting users to install a “security authentication plugin”.’]
  • [T1027] Obfuscated Files or Information – The payload was encrypted with a key tied to the compromised organization, indicating tailored payload encryption. [‘The payload was encrypted using a key that used the name of the compromised organization.’]
  • [T1499] Endpoint Denial of Service – Not observed in a destructive sense, but the exploit leveraged deserialization and malformed ViewState handling that triggered integrity failures in logs. [‘Viewstate verification failed. Reason: The viewstate supplied failed integrity check.’]

Indicators of Compromise

  • [File Name / SHA-256] BLUEBEAM web shell payload – LoadLibrary.dll, 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2
  • [Event Log Messages] ViewState exploitation activity – “Event code: 4009”, “Viewstate verification failed”
  • [Process Names / Command Lines] Suspicious child processes from w3wp.exe – cmd.exe /c …, whoami, powershell.exe
  • [File Types] Web root tampering targets – .js files, .aspx files, .config files
  • [User-Agent Strings] Anomalous concatenated browser strings used in web requests – Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 … Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 …, and 2 more examples
  • [Parameter] ViewState exploitation vector – __VIEWSTATE
  • [Product / Source Log] Windows Application log monitoring – ASP.NET 4.0.30319.0, Event ID 1316

Read more: https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint