Shared ASP.NET machine keys exposed KnowledgeDeliver deployments
Mandiant links CVE-2026-5426 exploitation to in-memory BLUEBEAM, web-root tampering, and downstream Cobalt Strike delivery through compromised LMS sites.
Detection evidence
Shared ASP.NET machine keys exposed KnowledgeDeliver deployments
Mandiant investigated a compromised KnowledgeDeliver learning-management server in late 2025 and identified an unauthenticated remote-code-execution vulnerability now tracked as CVE-2026-5426. An unknown actor used identical ASP.NET machine keys distributed across customer deployments to submit a malicious ViewState payload, run BLUEBEAM inside IIS, alter the web application, and deliver Cobalt Strike to site visitors.
KnowledgeDeliver is used primarily in Japan. Installations deployed before 24 February 2026 inherited hardcoded machineKey values from a standardized vendor configuration. A key recovered from one installation could therefore be used against another internet-facing deployment that shared the same values.
A valid machine key enabled ViewState deserialization
ASP.NET ViewState carries page state between requests and uses the configured machine key to protect integrity. The actor crafted a malicious __VIEWSTATE value with the shared key and sent it to a vulnerable server. Because the payload passed integrity validation, the application attempted deserialization and executed attacker-controlled code.
Mandiant did not identify how the actor first obtained the shared key material. The vendor configuration made the same secret available across independent customer environments, removing the isolation normally provided by per-deployment keys.
BLUEBEAM remained inside the IIS worker process
After code execution, the actor deployed the .NET-based BLUEBEAM web shell, also known as Godzilla. BLUEBEAM operated in memory inside w3wp.exe and accepted encrypted commands in HTTP POST bodies. File-based scanning alone would not reliably expose that execution path.
The actor then used icacls to grant Everyone full access to the web application directory. A JavaScript file in the application was modified to display a false security alert and load a remote script from actor-controlled infrastructure. The remote content prompted visitors to install a fake security authentication plugin. That installer delivered a Cobalt Strike BEACON payload prepared for the targeted organization.
Reported infrastructure
Mandiant supplied one file indicator and examples of identifier components found concatenated in anomalous User-Agent strings. Per-value observation times were not provided. These values are historical pivots. Defenders should confirm local log timing, file provenance, current prevalence, and benign collisions before escalation.
| Type | Reported value | Context |
|---|---|---|
| File name | LoadLibrary.dll | BLUEBEAM payload |
| SHA-256 | 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2 | BLUEBEAM payload |
| Anomalous User-Agent component | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 | Reported as part of a concatenated identifier pattern |
| Anomalous User-Agent component | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 | Reported as part of a concatenated identifier pattern |
| Anomalous User-Agent component | Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62 Version/11.01 | Reported as part of a concatenated identifier pattern |
| Anomalous User-Agent component | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205 | Reported as part of a concatenated identifier pattern |
User-Agent matching has low confidence on its own. The values are easy to copy, change, or encounter in unrelated scanning. Correlation with the affected application, ViewState errors, IIS process behavior, and web-root changes is required.
The accompanying experimental hunt checks endpoint records for the reported filename or SHA-256 and web telemetry for the four User-Agent components. A filename or User-Agent match alone is insufficient; the hunt requires the affected application, host role, request path, ViewState events, and nearby IIS activity for triage.
ASP.NET event telemetry identifies the deserialization stage
Mandiant identified Windows Application Event ID 1316 as a useful ViewState signal. A message containing event code 4009 and the reason The viewstate supplied failed integrity check can indicate an attempt made with the wrong key. A message containing event code 4009 and the reason Viewstate was invalid indicates that integrity validation passed and deserialization was attempted. Execution may or may not have succeeded.
The included Sigma rule detects the second condition. It does not use the reported hash, filename, or User-Agent values. The selection maps to Exploit Public-Facing Application (T1190) because the event represents a request reaching a vulnerable internet-facing ASP.NET application with valid integrity material.
Responders should correlate the alert with IIS request logs, the target URL, request size, source address, application pool identity, w3wp.exe child processes, web-root file changes, and outbound connections. Mandiant also recommends monitoring for w3wp.exe starting cmd.exe, powershell.exe, whoami, or icacls, and for unauthorized changes to .js, .aspx, and .config files.
Key rotation and server investigation
Each KnowledgeDeliver deployment needs a unique, cryptographically strong machine key. Deployments created before 24 February 2026 should be reviewed for inherited shared values and rotated according to vendor guidance. Internet access should be limited to required organizational ranges where operationally possible.
Key rotation addresses the shared secret, while an established web shell or modified application can preserve attacker access. Responders should acquire volatile and persistent evidence, inspect the IIS worker process, compare the application tree with a trusted release, review permission changes, and remove malicious code before closing the incident. Workstations that received the false plugin prompt require separate endpoint investigation for Cobalt Strike.
Scope and limitations
This analysis relies on one original Mandiant investigation. The source confirms exploitation in a compromised environment and explains how the shared keys expanded exposure, but it does not identify the actor, count affected deployments, or establish current activity after late 2025. Indicator observation times and actor-controlled domains are unavailable. The Sigma rule detects a ViewState deserialization stage recorded by ASP.NET; it cannot confirm command execution and will miss exploitation when Windows Application messages are absent, truncated, or not forwarded.
Sources
- Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability, Mandiant and Google Threat Intelligence Group, 25 May 2026.