<div class="block-paragraph_advanced"><p>Written by: Takahiro Sugiyama, Peter Revelant, Mathew Potaczek</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span></h3> <p><span style="vertical-align: baseline;">In late 2025, Mandiant responded to a security incident involving a compromised web server running </span><a href="https://www.digital-knowledge.co.jp/product/kd/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">KnowledgeDeliver</span></a><span style="vertical-align: baseline;">. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant </span><a href="https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">identified a critical vulnerability</span></a><span style="vertical-align: baseline;"> that allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site.</span></p> <p><span style="vertical-align: baseline;">This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as </span><a href="https://www.cve.org/CVERecord?id=CVE-2026-5426" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2026-5426</span></a><span style="vertical-align: baseline;">.</span></p> <h3><span style="vertical-align: baseline;">The Vulnerability</span></h3> <p><span style="vertical-align: baseline;">KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized </span><code style="vertical-align: baseline;">web.config</code><span style="vertical-align:

Read Full Article at Mandiant Blog →