A zero-day vulnerability in KnowledgeDeliver, a learning management system (LMS) developed by Digital Knowledge and widely deployed across Japanese organizations, has been exploited in the wild to deploy web shells and achieve remote code execution. The root cause was a hardcoded machineKey value embedded in the application's configuration file — a classic insecure-by-default condition that enables ViewState deserialization attacks on ASP.NET applications.
SecurityWeek reported the exploitation detail after researchers examined attack artifacts tied to KnowledgeDeliver deployments.
Technical Root Cause: Hardcoded machineKey
In ASP.NET web applications, the machineKey is used to cryptographically sign and encrypt ViewState data — the hidden form field that preserves page state between requests. When a machineKey value is hardcoded in the application's web.config (rather than being system-generated and unique per installation), an attacker who obtains or guesses the key can forge a valid cryptographic signature on a malicious serialized payload.
The attack flow for this class of vulnerability:
- Attacker discovers or extracts the hardcoded machineKey — through source code exposure, configuration leaks, or prior reconnaissance
- Crafts a malicious .NET serialization payload using tools like ysoserial.net, targeting known .NET deserialization gadget chains
- Signs the payload with the known machineKey to produce a ViewState value that passes ASP.NET signature verification
- Submits the crafted ViewState in a POST request to the application
- ASP.NET deserializes the payload, executing arbitrary .NET code on the server
This technique bypasses application-level input validation entirely because the payload arrives as what appears to be legitimately signed server state.
Observed Post-Exploitation Activity
Following successful exploitation of the deserialization flaw, attackers were observed deploying web shells to the compromised KnowledgeDeliver servers. Web shells provide persistent, browser-accessible backdoor access to the underlying server filesystem and command execution capability, enabling:
- Remote command execution
- File upload and download
- Lateral movement within the network
- Credential harvesting from the LMS database
- Staging of additional payloads
The combination of a deserialization-enabled initial foothold with web shell persistence is a well-documented pattern in attacks attributed to APT groups, particularly those with links to Chinese state-sponsored operations — though no definitive attribution for these KnowledgeDeliver attacks has been publicly confirmed.
Scope and Impact
KnowledgeDeliver has significant deployment across Japanese educational institutions, government-affiliated training programs, and corporate learning environments. The platform typically stores employee or student personally identifiable information, credentials, and course completion records, making it an attractive target for actors seeking persistent access within Japanese organizations.
Digital Knowledge has issued a patch for the vulnerability. Organizations running KnowledgeDeliver should apply the update immediately and conduct a post-exploitation review of potentially affected servers.
Detection and Response Guidance
For organizations running KnowledgeDeliver or any ASP.NET application with a shared or hardcoded machineKey, immediate actions include:
- Audit web.config files across all ASP.NET applications for hardcoded or shared machineKey values
- Search web-accessible directories for recently created
.aspx,.ashx, or.asmxfiles that were not deployed as part of the application - Review IIS logs for unusual POST requests to unexpected endpoints, particularly those with large ViewState values
- Rotate machineKey values across all affected applications and regenerate unique keys per installation
- Monitor outbound connections from the web server host for unexpected callback destinations
Source: SecurityWeek