### Hard-Coded Keys Enable Remote Code Execution The vulnerability, tracked as **CVE-2026-5426** (CVSS score: 7.5), arises from the use of hard-coded ASP.NET machine keys within KnowledgeDeliver. This critical oversight enabled unauthenticated remote code execution through a ViewState deserialization attack. The dangers of publicly disclosed ASP.NET machine keys were previously highlighted by **Microsoft** in February 2025. According to **Google Mandiant** and **Google Threat Intelligence Group (GTIG)**, the attackers injected malicious code into the LMS platform to infect site visitors. ### Impact and Remediation The security flaw affected KnowledgeDeliver deployments prior to February 24, 2026. Similar vulnerabilities have been previously exploited in other platforms such as **Sitecore Experience Manager** (XM) and **Gladinet CentreStack and TrioFox**. ### Technical Deep Dive The root cause lies in the standardized `web.config` file provided by the vendor, containing hard-coded `machineKey` values used by the ASP.NET framework for encrypting and signing data, including ViewState payloads. This meant that compromising one deployment could potentially lead to the compromise of others. "The ASP.NET ViewState persists page state across postbacks," Google explained. "When the `machineKey` is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the `__VIEWSTATE` parameter), the threat actor can make the server deserialize it." ### Attack Chain: From Web Shell to Cobalt Strike Observed exploitation of CVE-2026-5426 involved deploying the **Godzilla** (aka BLUEBEAM) web shell. This granted attackers the ability to execute commands and drop additional payloads. Attackers escalated privileges on the web server's file system by granting "Everyone" complete access to the web application directory. Subsequently, they tampered with a JavaScript file to display a fake security alert, prompting users to install a bogus "security authentication plugin." This allowed for the stealthy loading of a malicious script from an attacker-controlled domain, ultimately leading users to download a fake installer and infecting their machines with Cobalt Strike Beacon. Google noted that the payload was encrypted using a key that incorporated the name of the compromised organization, indicating a targeted attack. ### Lessons Learned and Mitigation Strategies This incident underscores the critical risks associated with using shared secrets in deployment templates. Organizations should implement unique secrets and robust endpoint monitoring to defend against deserialization attacks.