
Shared ASP.NET Machine Keys Enable RCE in KnowledgeDeliver LMS

In late 2025, Mandiant responded to an incident where an unknown threat actor exploited a critical vulnerability in KnowledgeDeliver, a Japanese LMS. The root cause was a hardcoded, identical ASP.NET machineKey in the vendor’s standard web.config file across all customer deployments. This made every internet-facing instance vulnerable to unauthenticated remote code execution via ViewState deserialization, tracked as CVE-2026-5426. The tension is that a single leaked key could compromise an entire ecosystem of deployments, turning a vendor template into a mass exploitation vector.
The attacker crafted a malicious ViewState payload using the known key, sent it via HTTP POST to the __VIEWSTATE parameter, and achieved deserialization RCE. They then deployed the BLUEBEAM in-memory web shell (Godzilla variant) into the IIS worker process (w3wp.exe). Post-exploitation, they used icacls to grant full access to the web directory, tampered with JavaScript to display a fake security alert and load a remote script, which led to Cobalt Strike BEACON infections on visitors’ workstations. The Cobalt Strike payload was encrypted with a key derived from the organization’s name, indicating targeted preparation.
Serious builders must rotate machine keys to unique, cryptographically strong values immediately. For hunting, monitor Application Event Log Event ID 1316 from ASP.NET (code 4009) for ViewState verification failures, watch for suspicious w3wp.exe child processes (cmd, whoami, powershell), enable file integrity monitoring for .js and .config changes, and inspect User-Agent strings that concatenate two distinct identifiers. Mandiant‘s SecOps rules can automate detection of these patterns. The core lesson: never ship hardcoded secrets in deployment templates.


