A critical zero-day vulnerability in the KnowledgeDeliver Learning Management System is being actively exploited to deploy the BLUEBEAM in-memory web shell. This vulnerability, identified as CVE-2026-5426, allows unauthenticated remote code execution and affects all systems using default ASP.NET configurations prior to February 24, 2026. Developed by Japan-based Digital Knowledge, KnowledgeDeliver is widely utilized in Japan’s educational and enterprise sectors.
The root cause of this vulnerability stems from insecure cryptographic practices, specifically the use of a standardized web.config file with hardcoded machineKey values. These keys, identical across all customer deployments, enable attackers to exploit any internet-facing KnowledgeDeliver server once they obtain a key from one instance.
Attackers leverage the ASP.NET ViewState mechanism, which maintains UI state across HTTP postbacks. With a known machineKey, they can craft malicious serialized ViewState payloads, leading to arbitrary code execution upon deserialization by the server.
Post-exploitation, attackers focus on maintaining persistence and expanding their impact. They deploy BLUEBEAM, a .NET-based web shell that operates within the IIS worker process, avoiding detection by traditional antivirus and EDR systems. BLUEBEAM communicates with attackers through encrypted HTTP POST requests, facilitating stealthy command execution.
Further, attackers use icacls to grant extensive access permissions to the web application directory and modify a JavaScript file to display a fake security alert. This alert prompts visitors to install a “security authentication plugin,” which actually downloads a Cobalt Strike BEACON backdoor onto their systems.
To detect such exploitation, defenders should monitor for specific indicators, including Windows Application Event ID 1316 and suspicious child processes spawned by w3wp.exe. Unauthorized changes to .js, .aspx, or .config files and anomalous HTTP access logs are also signs of compromise.
Organizations are urged to generate unique, cryptographically strong machineKeys for each deployment to mitigate this vulnerability. Restricting LMS access to known IP ranges and conducting thorough forensic investigations in compromised environments are recommended steps for remediation.
This incident highlights the systemic risks posed by shared secrets in vendor templates, emphasizing the importance of machine key rotation and uniqueness as essential security measures in ASP.NET-based platforms.
