Description
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
Published: 2026-04-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Assess Impact
AI Analysis

Impact

The vulnerability originates from a static ASP.NET/IIS machineKey value used in Digital Knowledge KnowledgeDeliver installations before February 24 2026. Because the key is hard‑coded, attackers can forge signed ViewState payloads that bypass the framework’s validation, allowing the injection of malicious objects that are deserialized by the application. This flaw permits remote code execution on the server, making the affected environments highly vulnerable. It falls under CWE‑321 and CWE‑502.

Affected Systems

Digital Knowledge KnowledgeDeliver deployments prior to February 24 2026 are impacted. All versions of the product that rely on the hard‑coded machineKey configuration before this date are vulnerable. The flaw is tied to the web stack that includes IIS running ASP.NET, where the machineKey supplies both validation and decryption for ViewState data.

Risk and Exploitability

The flaw offers a straightforward remote exploitation path: an attacker can craft malicious ViewState and send it to any endpoint that accepts ViewState without authentication, bypassing integrity checks and triggering arbitrary code execution. No official patch or workaround is listed, the EPSS score is < 1%, and the vulnerability is not in CISA KEV. The CVSS score of 7.5 indicates high severity, and combined with the low exploitation barrier the risk remains high even though exploit activity has not been tracked publicly.

Generated by OpenCVE AI on April 18, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a version released after February 24 2026 that configures a unique machineKey.
  • Generate a, unique machineKey per deployment and set it in the web.config file to replace the hard‑coded value.
  • Disable or restrict ViewState usage, enforce strict serialization checks, and monitor for anomalous ViewState traffic.

Generated by OpenCVE AI on April 18, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Digital Knowledge
Digital Knowledge knowledgedeliver
Vendors & Products Digital Knowledge
Digital Knowledge knowledgedeliver

Thu, 16 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
Title KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value
Weaknesses CWE-321
CWE-502
References

Subscriptions

Digital Knowledge Knowledgedeliver
cve-icon MITRE

Status: PUBLISHED

Assigner: Mandiant

Published:

Updated: 2026-04-18T02:31:32.234Z

Reserved: 2026-04-02T14:20:13.588Z

Link: CVE-2026-5426

cve-icon Vulnrichment

Updated: 2026-04-18T02:31:27.581Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T16:16:17.693

Modified: 2026-04-18T04:16:25.243

Link: CVE-2026-5426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses