PatchSiren cyber security CVE debrief
CVE-2026-5426 Digital Knowledge CVE debrief
A critical vulnerability in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026, involves hard-coded ASP.NET/IIS machineKey values that enable adversaries to bypass ViewState validation and achieve remote code execution through malicious ViewState deserialization attacks. The vulnerability carries a CVSS 3.1 score of 9.1 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, low complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity. The issue was published in the CVE database on April 16, 2026, and last modified on May 26, 2026. Mandiant disclosed this vulnerability as MNDT-2026-0009. The weakness stems from use of hard-coded cryptographic keys (CWE-321) combined with deserialization of untrusted data (CWE-502). Organizations running affected KnowledgeDeliver versions should prioritize patching to the February 24, 2026 release or later, rotate any potentially compromised machineKey values, and implement network segmentation to limit exposure of ASP.NET applications.
- Vendor
- Digital Knowledge
- Product
- KnowledgeDeliver
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-05-26
Who should care
Organizations running Digital Knowledge KnowledgeDeliver deployments, particularly those with externally accessible ASP.NET applications using default or vendor-supplied cryptographic configurations. Security teams responsible for .NET application security, IIS administrators, and incident responders tracking deserialization attack patterns should prioritize assessment.
Technical summary
The KnowledgeDeliver application platform by Digital Knowledge shipped with hard-coded ASP.NET machineKey values in deployments prior to February 24, 2026. The machineKey element in ASP.NET controls ViewState encryption and message authentication code (MAC) validation. When these values are predictable or publicly known, attackers can craft malicious ViewState payloads that pass validation checks and trigger deserialization attacks. Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the target system. The vulnerability is particularly severe due to default ASP.NET ViewState behavior and the common exposure of web applications to untrusted networks.
Defensive priority
critical
Recommended defensive actions
- Upgrade Digital Knowledge KnowledgeDeliver to version released February 24, 2026 or later
- Generate and deploy new cryptographically random machineKey values in web.config
- Review IIS and ASP.NET application logs for anomalous ViewState-related errors or deserialization attempts
- Implement network segmentation to restrict access to KnowledgeDeliver administrative interfaces
- Enable ASP.NET ViewState MAC validation and encryption if not already configured
- Conduct forensic review of systems running affected versions prior to patching for signs of compromise
Evidence notes
The CVE description and Mandiant disclosure confirm hard-coded machineKey values in deployments prior to February 24, 2026. CWE-321 (Use of Hard-coded Cryptographic Key) and CWE-502 (Deserialization of Untrusted Data) are identified as the underlying weaknesses. The CVSS vector confirms network accessibility with high confidentiality and integrity impact.
Official resources
Mandiant disclosed this vulnerability as MNDT-2026-0009. The vendor Digital Knowledge provides KnowledgeDeliver product information through their official channels.