Published Sunday, June 21, 2026 at 01:01 AM PT

BREAKING: Active Exploitation of KnowledgeDeliver Platform via ViewState Deserialization โ€” CVE-2026-5426

BLUF: Threat actors are actively exploiting a ViewState deserialization vulnerability (CVE-2026-5426) in the KnowledgeDeliver platform, enabled by identical pre-shared ASP.NET machine keys shared across multiple customer deployments. All KnowledgeDeliver customers should treat their deployments as potentially compromised pending investigation.

DETAILS

  • Root cause confirmed: Identical ASP.NET machine keys deployed across multiple KnowledgeDeliver customer instances enabled ViewState deserialization attacks โ€” a known high-risk configuration that allows unauthenticated remote code execution when machine keys are known or shared.
  • Zero-day origin: The vulnerability was initially exploited as a zero-day before public disclosure; it is now formally tracked as CVE-2026-5426. Patch availability status is not confirmed in available intelligence at this time.
  • Multi-tenant exposure: The shared machine key architecture means exploitation of one deployment may provide keys applicable to other affected customer environments โ€” scope of compromise may extend beyond initially identified victims.
  • Attribution: Google Threat Intelligence is tracking active exploitation. Threat actor identity, tooling, and campaign objectives are not confirmed in available reporting.
  • Exploitation mechanism: ASP.NET ViewState deserialization via known machine keys is a well-documented attack class; exploitation typically yields remote code execution on the web server.

IMPACT

  • Who is affected: Organizations running KnowledgeDeliver deployments, particularly those using default or vendor-supplied ASP.NET machine key configurations.
  • Scope: Multi-customer; exact number of affected deployments is unconfirmed.
  • Potential impact: Full remote code execution on affected web servers; lateral movement, data exfiltration, and persistence are plausible follow-on actions โ€” not yet confirmed by available reporting.
  1. Immediately rotate ASP.NET machine keys on all KnowledgeDeliver deployments; generate unique keys per environment.
  2. Audit web server logs for anomalous ViewState payloads or unexpected process execution originating from web worker processes.
  3. Isolate affected systems if active compromise indicators are identified pending forensic review.
  4. Contact KnowledgeDeliver vendor for official patch status, indicators of compromise (IOCs), and remediation guidance.
  5. Monitor Google Threat Intelligence and CVE-2026-5426 advisories for updated patch and IOC releases.

SOURCES

  • Google Threat Intelligence โ€” Active exploitation reporting, CVE-2026-5426 tracking
  • CVE Record: CVE-2026-5426

โš ๏ธ UNCERTAINTY FLAG: Patch availability, confirmed victim count, threat actor attribution, and full exploitation chain details are not confirmed in current reporting. This alert will require update as additional intelligence becomes available.