KnowledgeDeliver LMS Vulnerability Allows Remote Code Execution

A critical security flaw in KnowledgeDeliver, a Learning Management System used in Japan, was exploited by threat actors in late 2025. The vulnerability (CVE-2026-5426) stems from identical pre-shared ASP.NET machine keys hardcoded in the vendor's standard configuration file across multiple customer installations. Attackers who obtained these keys could craft malicious ViewState payloads to achieve unauthenticated remote code execution on any internet-facing instance. The vulnerability affected all KnowledgeDeliver deployments before February 24, 2026. This incident mirrors similar vulnerabilities found in Sitecore and highlights the dangers of standardized security credentials across independent environments. Source: Mandiant.