{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5426", "assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484", "state": "PUBLISHED", "assignerShortName": "Mandiant", "dateReserved": "2026-04-02T14:20:13.588Z", "datePublished": "2026-04-16T15:18:46.224Z", "dateUpdated": "2026-04-18T02:31:32.234Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484", "shortName": "Mandiant", "dateUpdated": "2026-04-16T15:22:20.823Z"}, "title": "KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-321", "description": "CWE-321 Use of hard-coded cryptographic key", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of untrusted data", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"vendor": "Digital Knowledge", "product": "KnowledgeDeliver", "versions": [{"status": "affected", "version": "0", "lessThan": "20260224", "versionType": "date"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks"}]}], "references": [{"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md", "tags": ["third-party-advisory"]}, {"url": "https://www.digital-knowledge.co.jp/product/kd/", "tags": ["product"]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-18T02:30:29.158302Z", "id": "CVE-2026-5426", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-18T02:31:32.234Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5426", "assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484", "state": "PUBLISHED", "assignerShortName": "Mandiant", "dateReserved": "2026-04-02T14:20:13.588Z", "datePublished": "2026-04-16T15:18:46.224Z", "dateUpdated": "2026-04-18T02:31:32.234Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484", "shortName": "Mandiant", "dateUpdated": "2026-04-16T15:22:20.823Z"}, "title": "KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-321", "description": "CWE-321 Use of hard-coded cryptographic key", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of untrusted data", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"vendor": "Digital Knowledge", "product": "KnowledgeDeliver", "versions": [{"status": "affected", "version": "0", "lessThan": "20260224", "versionType": "date"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks"}]}], "references": [{"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md", "tags": ["third-party-advisory"]}, {"url": "https://www.digital-knowledge.co.jp/product/kd/", "tags": ["product"]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5426", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-18T02:30:29.158302Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-18T02:31:27.581Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks"}], "id": "CVE-2026-5426", "lastModified": "2026-04-18T04:16:25.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-16T16:16:17.693", "references": [{"source": "mandiant-cve@google.com", "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md"}, {"source": "mandiant-cve@google.com", "url": "https://www.digital-knowledge.co.jp/product/kd/"}], "sourceIdentifier": "mandiant-cve@google.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}, {"lang": "en", "value": "CWE-502"}], "source": "mandiant-cve@google.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,20260224)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KnowledgeDeliver", "source": "cna", "vendor": "Digital Knowledge"}, "product": "knowledgedeliver", "vendor": "digital_knowledge"}], "analysis": {"en": {"generated_at": "2026-04-17T02:55:35.884436+00:00", "value": {"mitigation_remediation": ["Apply any available patch from Digital Knowledge that replaces the static machineKey with a unique random value configured in web.config or IIS.", "If a patch is not yet released, manually set a strong, randomly generated validationKey and decryptionKey in the machineKey element of web.config or the IIS settings to eliminate the hard\u2011coded key.", "Disable ViewState or enforce strict ViewState encryption and validation settings whenever ViewState is not required for application functionality."], "summary": {"action": "Assess Impact", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Digital Knowledge KnowledgeDeliver deployments prior to February\u202f24\u202f2026 are impacted. All versions of the product that rely on the hard\u2011coded machineKey configuration before this date are vulnerable. The flaw is tied to the web stack that includes IIS running ASP.NET, where the machineKey supplies both validation and decryption for ViewState data.", "description_and_impact": "The vulnerability originates from a static ASP.NET/IIS machineKey value used in Digital Knowledge KnowledgeDeliver installations before February\u202f24\u202f2026. Because the key is hard\u2011coded, attackers can forge signed ViewState payloads that bypass the framework\u2019s validation, allowing the injection of malicious objects that are deserialized by the application. This flaw permits remote code execution on the server, making the affected environments highly vulnerable. It falls under CWE\u2011321 and CWE\u2011502.", "risk_and_exploitability": "The flaw offers a straightforward remote exploitation path: an attacker can craft malicious ViewState and send it to any endpoint that accepts ViewState without authentication, bypassing integrity checks and triggering arbitrary code execution. No official patch or workaround is listed, and the vulnerability is not yet referenced in the CISA KEV catalog; the EPSS score is unavailable. Consequently, the risk remains high due to the severity of the impact and the ease of exploitation, even though specific exploitation activity has not yet been tracked in public metrics."}}}}, "created": "2026-04-16T18:58:26.106264+00:00", "updated": "2026-04-17T03:00:08.456983+00:00", "vendors": ["digital_knowledge", "digital_knowledge$PRODUCT$knowledgedeliver"]}