{"vulnerability": "CVE-2026-5426", "sightings": [{"uuid": "30052e01-f494-4293-958e-ac9ad3722594", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjmymffdvg2t", "content": "", "creation_timestamp": "2026-04-16T18:04:10.027758Z"}, {"uuid": "e5637507-72e7-47af-a93c-3ecbae40d9f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-5426", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116417104416675988", "content": "", "creation_timestamp": "2026-04-17T00:00:41.190629Z"}, {"uuid": "450096da-30e3-4df7-ba4c-e336423215a5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-5426", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mjnmlvw67525", "content": "", "creation_timestamp": "2026-04-17T00:00:42.440333Z"}, {"uuid": "fc99a307-37b0-4f20-b01e-c0011341ba07", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/boredchilada.bsky.social/post/3mmoijxbker2n", "content": "@mandiant.com\nActive exploitation of CVE-2026-5426 in KnowledgeDeliver LMS deploys BLUEBEAM web shells &amp; Cobalt Strike.\n-\nIOCs: CVE-2026-5426, 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2\n-\n#CVE20265426 #Malware #ThreatIntel", "creation_timestamp": "2026-05-25T12:36:16.296851Z"}, {"uuid": "a6e44065-350b-4342-bfda-925d3257a475", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "published-proof-of-concept", "source": "Telegram/veDSMFN7ecyhltWdKUwpcYAyE-ogEw-qfchv6YBZH7Zn1oc", "content": "", "creation_timestamp": "2026-04-18T05:18:34.000000Z"}, {"uuid": "3c9e3be4-7669-4e4a-adb1-5eebce0fddd6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://swecyb.com/ap/users/116080658609901341/statuses/116633539838473469", "content": "(google.com) Exploitation of KnowledgeDeliver via ASP.NET ViewState Deserialization Vulnerability Leading to RCE\nCritical zero-day RCE vulnerability (CVE-2026-5426) in KnowledgeDeliver LMS exploited via ASP.NET ViewState deserialization using hardcoded machine keys. Threat actors deployed BLUEBEAM web shell and Cobalt Strike BEACON post-exploitation.\nIn brief - Mandiant uncovered a zero-day RCE flaw in Japan\u2019s KnowledgeDeliver LMS, exploited via identical hardcoded ASP.NET machine keys. Attackers used ViewState deserialization to deploy in-memory web shells and Cobalt Strike, emphasizing risks of shared cryptographic secrets.\nTechnically - CVE-2026-5426 enables unauthenticated RCE via malicious ViewState payloads due to identical `machineKey` values in `web.config`. Post-exploitation involved BLUEBEAM (in-memory IIS web shell), `icacls` privilege escalation, JavaScript file tampering, and Cobalt Strike BEACON. Detection: monitor Event ID 1316 (ViewState failures), suspicious `w3wp.exe` child processes, and anomalous User-Agents. Remediation: rotate machine keys to unique, strong values and restrict LMS access.\nSource: https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/\n#Cybersecurity #ThreatIntel", "creation_timestamp": "2026-05-25T07:37:14.765437Z"}, {"uuid": "90b25872-a1b2-4e43-a791-025ebcfae9d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/deafnews-auto.bsky.social/post/3mmqdhd34xa2q", "content": "CVE-2026-5426: KnowledgeDeliver LMS Targeted by Zero-Day ViewState Exploit", "creation_timestamp": "2026-05-26T06:10:38.589582Z"}, {"uuid": "6344a9c8-2efa-439d-8f37-657492850374", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html", "content": "A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.\n\nThe vulnerability, tracked as CVE-2026-5426 (CVSS score: 7.5), stems from the use of hard-coded ASP.NET machine keys, leading to", "creation_timestamp": "2026-05-26T03:19:38.000000Z"}, {"uuid": "2c0784ab-6050-4ed6-9e94-c1a21703c811", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/calimegai.bsky.social/post/3mmqgeka5yc2c", "content": "Une faille critique (CVE-2026-5426) dans #KnowledgeDeliver LMS, tr\u00e8s utilis\u00e9 au Japon, a permis l\u2019exploitation zero-day pour d\u00e9ployer Godzilla web shell et Cobalt Strike Beacon. Patch disponible \u26a0\ufe0f #CyberSecurity #Automatisation ", "creation_timestamp": "2026-05-26T07:02:46.855217Z"}, {"uuid": "681dc69e-a3cb-4cb4-b675-8e859246dbd1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-5426", "type": "seen", "source": "https://bsky.app/profile/oxfemale.bsky.social/post/3mmqhg7p55c2z", "content": "Original: This article is an independent of \u201cExploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability\u201d by Takahiro Sugiyama, Peter Revelant, and Mathew Potaczek, published on the Google Cloud T\nhttps://core-jmp.org/2026/05/knowledgedeliver-viewstate-deserialization-cve-2026-5426/", "creation_timestamp": "2026-05-26T07:21:36.556408Z"}, {"uuid": "eb709cf7-7ad7-44ca-a015-b7852182fa71", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/bitnewsbot.bsky.social/post/3mmqnbdggm72p", "content": "A critical vulnerability (CVE-2026-5426) in the Japanese LMS Digital Knowledge KnowledgeDeliver allowed unauthenticated remote code execution. Attackers exploited this flaw [\u2026]", "creation_timestamp": "2026-05-26T09:06:15.188461Z"}, {"uuid": "6112ceae-6368-4b70-915a-a547c6b5b78f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mmryjq4to32s", "content": "Mandiant says attackers used CVE-2026-5426 in KnowledgeDeliver LMS as a zero-day to deploy Godzilla web shells, abuse reused ASP.NET machine keys, and trigger Cobalt Strike via ViewState deserialization. #KnowledgeDeliver #Mandiant #CobaltStrike", "creation_timestamp": "2026-05-26T22:00:27.686846Z"}, {"uuid": "23bb807c-e919-4f40-892a-f387aa28f671", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-5426", "type": "seen", "source": "https://bsky.app/profile/cyberveille-ch.bsky.social/post/3mmqwyadgzi2x", "content": "\ud83d\udce2 Exploitation zero-day de KnowledgeDeliver via d\u00e9s\u00e9rialisation ViewState ASP.NET (CVE-2026-5426)\n\ud83d\udcdd ## \ud83d\udd0d Contexte\n\nFin 2025, Mandia\u2026\nhttps://cyberveille.ch/posts/2026-05-26-exploitation-zero-day-de-knowledgedeliver-via-deserialisation-viewstate-asp-net-cve-2026-5426/ #ASP_NET_MachineKey #Cyberveille", "creation_timestamp": "2026-05-26T12:00:06.872142Z"}, {"uuid": "984d753b-ca50-49d8-9970-05f1ed864bd1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "Telegram/rDPiK1vGJg8wRnXGbqSk3bi_Vn49HLdYqID-Bg62JfX7ng", "content": "", "creation_timestamp": "2026-05-26T06:36:04.000000Z"}, {"uuid": "4814c8d5-368c-4c80-af11-1b4b018c27c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/newstecnicas.com/post/3mmreekkxak2q", "content": "\ud83d\udea8 #Alerta de #Ciberseguridad: Explotaci\u00f3n Zero-Day CVE-2026-5426 en #LMS \" #KnowledgeDeliver\" www.newstecnicas.com/2026/05/aler...", "creation_timestamp": "2026-05-26T15:59:49.484719Z"}, {"uuid": "9c618aef-7edd-425b-bbf8-c6c5e05d1e18", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://t.me/true_secator/8244", "content": "\u041f\u043e\u0434\u0432\u0435\u0434 Google, Mandiant \u0441\u043e\u043e\u0431\u0449\u0430\u0435\u0442 \u043e 0-day \u0432 KnowledgeDeliver, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0430\u0441\u044c \u0434\u043b\u044f \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f \u0432\u0435\u0431-\u043e\u0431\u043e\u043b\u043e\u0447\u0435\u043a \u0438 \u0431\u044d\u043a\u0434\u043e\u0440\u043e\u0432.\n\n\u0421\u0438\u0441\u0442\u0435\u043c\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043e\u0431\u0443\u0447\u0435\u043d\u0438\u0435\u043c (LMS) KnowledgeDeliver, \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0430\u043d\u043d\u0430\u044f Digital Knowledge, \u0448\u0438\u0440\u043e\u043a\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0434\u043b\u044f \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u0438 \u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0433\u043e \u043e\u0431\u0443\u0447\u0435\u043d\u0438\u044f, \u0433\u043b\u0430\u0432\u043d\u044b\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u0432 \u042f\u043f\u043e\u043d\u0438\u0438.\n\n0-day, \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0435\u043c\u0430\u044f \u043a\u0430\u043a CVE-2026-5426 (CVSS 7,5), \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043e\u0432\u0430\u043b\u0430 \u0432 \u0432\u0438\u0434\u0443 \u0442\u043e\u0433\u043e, \u0447\u0442\u043e \u0432 \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f\u0445 Digital Knowledge \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0441\u044f \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0444\u0430\u0439\u043b web.config, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0439 \u0436\u0435\u0441\u0442\u043a\u043e \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f machineKey, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442\u0441\u044f \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u043e\u0439 ASP.NET \u0434\u043b\u044f \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0438 \u043f\u043e\u0434\u043f\u0438\u0441\u0438 \u0434\u0430\u043d\u043d\u044b\u0445.\n\n\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u0436\u0435\u0441\u0442\u043a\u043e \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0439 \u0432 \u043d\u0435\u0437\u0430\u0432\u0438\u0441\u0438\u043c\u044b\u0445 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430\u0445 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u043b\u043e \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c, \u0437\u043d\u0430\u044e\u0449\u0438\u043c \u043a\u043b\u044e\u0447\u0438, \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0434\u0440\u0443\u0433\u0438\u0435 \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f, \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u043e\u0432\u0430\u0432 \u0430\u0442\u0430\u043a\u0438 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 ViewState.\n\nAPP.NET ViewState \u0441\u043e\u0445\u0440\u0430\u043d\u044f\u0435\u0442 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u043c\u0435\u0436\u0434\u0443 \u043e\u0431\u0440\u0430\u0442\u043d\u044b\u043c\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430\u043c\u0438. \u041a\u043e\u0433\u0434\u0430 \u0438\u0437\u0432\u0435\u0441\u0442\u0435\u043d machineKey, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u0443\u044e \u043f\u043e\u043b\u0435\u0437\u043d\u0443\u044e \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0443 \u0434\u043b\u044f ViewState. \u041e\u0442\u043f\u0440\u0430\u0432\u0438\u0432 \u044d\u0442\u0443 \u043f\u043e\u043b\u0435\u0437\u043d\u0443\u044e \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0443 \u0432 HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u0435, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0437\u0430\u0441\u0442\u0430\u0432\u0438\u0442\u044c \u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u0442\u044c \u0435\u0451.\n\n\u0414\u0430\u043d\u043d\u044b\u0439 \u0442\u0438\u043f \u0430\u0442\u0430\u043a\u0438 \u043d\u0435 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043d\u043e\u0432\u0438\u043d\u043a\u043e\u0439 \u0438 \u0440\u0430\u043d\u0435\u0435 \u043d\u0430\u0431\u043b\u044e\u0434\u0430\u043b\u0441\u044f \u0432 \u0445\u043e\u0434\u0435 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u044d\u043a\u0437\u0435\u043c\u043f\u043b\u044f\u0440\u043e\u0432 Sitecore\u00a0\u0438 \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u0439 CentreStack, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432\u00a0\u0430\u0442\u0430\u043a\u0430\u0445\u00a0\u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0430 \u043f\u043e\u0441\u0442\u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 Godzilla.\n\n\u041f\u043e \u0434\u0430\u043d\u043d\u044b\u043c Mandiant, \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u043d\u0443\u043b\u044f \u0432 KnowledgeDeliver \u0442\u0430\u043a\u0436\u0435 \u043f\u0440\u0438\u0432\u0435\u043b\u0430 \u043a \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044e \u0432\u0435\u0431-\u043e\u0431\u043e\u043b\u043e\u0447\u0435\u043a Godzilla (\u0442\u0430\u043a\u0436\u0435 \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u044b\u0445 \u043a\u0430\u043a Bluebeam).\n\n\u0420\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u0435\u043c\u043e\u0435 \u0432 \u043e\u043f\u0435\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438, \u044d\u0442\u043e \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0435 \u041f\u041e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u0438 \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0435 \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u043d\u0430 \u0437\u0430\u0440\u0430\u0436\u0435\u043d\u043d\u044b\u0445 \u043c\u0430\u0448\u0438\u043d\u0430\u0445.\n\n\u0417\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0438 Godzilla \u0434\u043b\u044f \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043f\u0440\u0430\u0432 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0434\u043b\u044f \u043c\u043e\u0434\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0444\u0430\u0439\u043b\u0430 JavaScript \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0441 \u0446\u0435\u043b\u044c\u044e \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0430 \u0438 \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u044f \u043b\u043e\u0436\u043d\u043e\u0433\u043e \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u043f\u0440\u0435\u0434\u043b\u0430\u0433\u0430\u044e\u0449\u0435\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u043e\u0434\u0434\u0435\u043b\u044c\u043d\u044b\u0439 \u043f\u043b\u0430\u0433\u0438\u043d.\n\n\u0412 \u043a\u043e\u043d\u0435\u0447\u043d\u043e\u043c \u0438\u0442\u043e\u0433\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0431\u044b\u043b\u0438 \u0437\u0430\u0440\u0430\u0436\u0435\u043d\u044b \u0431\u044d\u043a\u0434\u043e\u0440\u043e\u043c Cobalt Strike. \u041f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u043f\u043e\u043b\u0435\u0437\u043d\u0430\u044f \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0430 \u0431\u044b\u043b\u0430 \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0430 \u043a\u043b\u044e\u0447\u043e\u043c, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u043c \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438-\u0436\u0435\u0440\u0442\u0432\u044b, \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u044f Mandiant \u0441\u0447\u0438\u0442\u0430\u0435\u0442, \u0447\u0442\u043e \u0431\u044d\u043a\u0434\u043e\u0440 \u0431\u044b\u043b \u043f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u043b\u0435\u043d \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0434\u043b\u044f \u044d\u0442\u043e\u0439 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438.\n\n\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u0438\u043b\u0438 IOCs, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u044b\u0435 \u0441 \u0430\u0442\u0430\u043a\u043e\u0439, \u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442 \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0442\u044c \u0441\u0440\u0435\u0434\u044b \u043d\u0430 \u043f\u0440\u0435\u0434\u043c\u0435\u0442 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439. \u041e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u044f\u043c \u0442\u0430\u043a\u0436\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043c\u0435\u043d\u044f\u0442\u044c \u043a\u043b\u044e\u0447\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0441\u0432\u043e\u0438\u043c \u044d\u043a\u0437\u0435\u043c\u043f\u043b\u044f\u0440\u0430\u043c \u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0432\u0430\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a LMS.\n\n\u0412\u0441\u0435 \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f KnowledgeDeliver, \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0434\u043e 24 \u0444\u0435\u0432\u0440\u0430\u043b\u044f 2026 \u0433\u043e\u0434\u0430, \u043f\u043e\u0434\u0432\u0435\u0440\u0436\u0435\u043d\u044b 0-day \u0438 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u044b \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c\u0438.", "creation_timestamp": "2026-05-26T14:50:06.000000Z"}, {"uuid": "9f3a1b37-89ac-410f-9daf-14a0df049473", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://poliverso.org/objects/0477a01e-486a-16a3-a903-786386626250", "content": "CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON\n@informaticaMandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni.RE: insicurezzadigitale.com/?p=977\u2026", "creation_timestamp": "2026-05-27T07:56:52.045931Z"}, {"uuid": "de1c8b31-7a9b-414e-a2a1-c47de03eaf5f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/cybersecurity.poliverso.org.ap.brid.gy/post/3mmszuhdmsjq2", "content": "# **CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON**\n\n\n@informatica\nMandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise [\u2026]", "creation_timestamp": "2026-05-27T07:57:03.424559Z"}, {"uuid": "021f9c9b-f2db-44bb-ba8e-1d26ee24f63a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/Mozilla.activitypub.awakari.com.ap.brid.gy/post/3mmu7muiluxh2", "content": "\ud83d\udea9 Critical KnowledgeDeliver RCE (CVE-2026-5426) abused via shared ASP.NET machine keys to deliver web shells and Cobalt Strike KnowledgeDeliver exploit (CVE-2026-5426) enables RCE via ViewState ...\n\n#TIGR #malware #vulnerability\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-27T19:12:55.396158Z"}, {"uuid": "46c0336c-5678-4faf-9289-c3a763c2be79", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://bsky.app/profile/nuke86.rfeed.it/post/3mmtcnajjkr24", "content": "CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON\nil blog: insicurezzadigitale.com/cve-2026-542...\n\n#cybersecurity #apt #backdoor #cobaltstrike #infosec #malware #zeroday", "creation_timestamp": "2026-05-27T10:34:06.319794Z"}, {"uuid": "3ad6099f-d869-4bf8-9808-b447a1a3bf8f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-5426", "type": "exploited", "source": "https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability", "content": "", "creation_timestamp": "2026-05-25T07:00:00.000000Z"}, {"uuid": "db019d5e-8690-488f-8ba6-7e714586adf6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5426", "type": "seen", "source": "https://t.me/thehackernews/9078", "content": "\ud83d\udea8 One shared key. Every deployment at risk.\n\nAttackers exploited CVE-2026-5426 in the KnowledgeDeliver LMS to gain unauthenticated RCE through hard-coded ASP-NET machineKeys, deploy the Godzilla (BLUEBEAM) web shell, and deliver Cobalt Strike Beacon on vulnerable internet-facing systems.\n\nRead \ud83e\udc12 https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html", "creation_timestamp": "2026-05-26T05:31:04.000000Z"}]}