More than 2,000 organizations running Digital Knowledge's KnowledgeDeliver learning-management software shipped the same cryptographic master key in every installation, a design flaw that let attackers remotely execute code on any customer server once they extracted the key from a single deployment. The Japanese software vendor patched the vulnerability, tracked as CVE-2026-5426, on February 24 — but Mandiant had already observed exploitation in late 2025, meaning customers ran exposed for months while the vendor knew adversaries held working exploits.
The hard-coded machineKey — an ASP.NET configuration value used to encrypt and validate session data — sat in identical web.config files across independent customer environments. That allowed attackers who compromised one KnowledgeDeliver installation to reuse the same cryptographic material against every other internet-facing instance, bypassing ASP.NET ViewState validation mechanisms that normally protect web applications from deserialization attacks.
Digital Knowledge, a Tokyo-based firm with approximately 120 employees, serves enterprise and educational customers across Japan. The vulnerability affects all deployments configured before the February patch.
Google Cloud's Threat Intelligence Group documented active exploitation that began in late 2025, centered on Japanese organizations. Attackers deployed the Godzilla web shell — a Chinese-origin tool sometimes called BLUEBEAM — and used it to modify access controls on the web application directory, granting "Everyone" full permissions. From there, adversaries tampered with JavaScript files to display fake security warnings, pushing malicious browser plugins onto end users.
In at least one case, attackers pivoted to Cobalt Strike BEACON implants encrypted with keys that included the victim organization's name, a sign the campaigns were organization-specific rather than opportunistic mass exploitation.
"The standardized web.config file contained hardcoded machineKey values used to encrypt and sign data," Google researchers wrote in their disclosure. "Because these keys were identical across independent customer environments, a threat actor who obtained keys from one deployment could compromise any other internet-facing KnowledgeDeliver instance."
ViewState deserialization attacks — a class of vulnerability where adversaries manipulate encrypted session tokens to inject executable code — have plagued ASP.NET applications for years. But most deployments randomize their machineKey at installation, limiting each compromise to a single customer. KnowledgeDeliver's design eliminated that isolation, turning one exposed server into a skeleton key for the entire install base.
Digital Knowledge has not published a breach notification count or disclosed how many customers ran internet-facing deployments with the default configuration. The company's website lists "over 2,000 e-learning system installations," but it remains unclear how many faced direct internet exposure or how many detected unauthorized access before the February patch.
The multi-month gap between first exploitation and public disclosure mirrors a pattern seen in supply-chain compromises where vendors delay notification to avoid customer churn. Mandiant's late-2025 response suggests at least one customer knew they were breached months before Digital Knowledge issued the fix.
Organizations that deployed KnowledgeDeliver before February 24 should verify their web.config files now carry unique, randomly generated machineKey values. Forensic review of IIS logs for unusual POST requests to pages containing __VIEWSTATE parameters may surface prior exploitation attempts — though attackers who gained access in 2025 had ample time to erase evidence.
The National Vulnerability Database lists the CVSS score as 7.5 (High), reflecting unauthenticated remote exploitation with high impact on confidentiality, integrity, and availability. Whether Japanese regulators will pursue action against Digital Knowledge for the delayed disclosure remains an open question.
