Remote Code Execution Vulnerability in Digital Knowledge's KnowledgeDeliver Software
CVE-2026-5426

9.1CRITICAL

Key Information:

Vendor

Digital Knowledge

Status
Knowledgedeliver
Vendor
CVE Published:
16 April 2026

Badges

📈 Score: 1,190💰 Ransomware👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2026-5426?

CVE-2026-5426 is a remote code execution vulnerability affecting the KnowledgeDeliver software developed by Digital Knowledge. This software is designed to manage and deliver digital content effectively, integrating various functionalities for organizations. The vulnerability arises from a hard-coded machineKey value used in ASP.NET/IIS deployments in versions prior to February 24, 2026. This flaw allows attackers to bypass ViewState validation, enabling them to execute arbitrary code on the server through malicious ViewState deserialization attacks. Such exploitation poses a significant risk to organizations, as it could lead to unauthorized access, data breaches, and complete system compromise if not addressed promptly.

Potential impact of CVE-2026-5426

  1. Remote Code Execution: The primary impact of this vulnerability is the ability for adversaries to execute arbitrary code remotely. This means that an attacker could gain full control over the affected systems, leading to potential data loss or manipulation.

  2. Bypassing Security Mechanisms: Organizations relying on the ViewState validation for security within their applications could find their defenses circumvented. This undermines the integrity of the application and can expose sensitive information stored in ViewState.

  3. Increased Risk of Data Breaches: With the capability to execute code remotely, attackers can exploit this vulnerability to access confidential data, leading to significant data breaches. This could result in not only financial losses but also reputational damage for organizations, especially those handling sensitive user information.

Affected Version(s)

KnowledgeDeliver 0 < 20260224

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-5426
Created by HORKimhab

News Articles

favicon imageSwapupdate

KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

Ravie LakshmananMay 26, 2026Vulnerability / Threat Intelligence

1 month ago

favicon imageThe Hacker News

KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

CVE-2026-5426 enabled KnowledgeDeliver LMS attacks before February 24, 2026, leading to Cobalt Strike infections.

1 month ago

favicon imageIt Security News

Hackers Abuse KnowledgeDeliver LMS Flaw to Install BLUEBEAM Web Shell - IT Security News

Hackers are actively exploiting a critical vulnerability in the KnowledgeDeliver Learning Management System (LMS) to deploy the BLUEBEAM web shell, according to findings from Mandiant’s Google Threat Intelligence Group. The flaw, tracked as CVE-2026-5426, enables unauthenticated remote code executio...

1 month ago

References

https://github.com/mandiant/Vulnerability-Disclosures/blo...
third-party-advisory
https://www.digital-knowledge.co.jp/product/kd/
product
https://cloud.google.com/blog/topics/threat-intelligence/...
third-party-advisory

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by It Security News

  • Vulnerability published

  • Vulnerability Reserved

.