Mandiant: KnowledgeDeliver LMS exploited via ViewState deserialization for unauthenticated remote code execution
Per Mandiant's May 25 write-up on Google Cloud's threat-intelligence blog, responders investigating a late-2025 incident found a compromised web server running KnowledgeDeliver, a learning management system from Digital .
At a glance
- A critical unauthenticated RCE in KnowledgeDeliver stems from identical pre-shared ASP.NET machine keys reused across customer deployments, per Mandiant
- An unknown threat actor injected malicious code into the compromised LMS to infect visiting users
VERDICT — CONFIRMED
Per Mandiant's May 25 write-up on Google Cloud's threat-intelligence blog, responders investigating a late-2025 incident found a compromised web server running KnowledgeDeliver, a learning management system from Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability allowing unauthenticated remote code execution, stemming from identical pre-shared ASP.NET machine keys reused across multiple customer deployments — enabling ViewState deserialization attacks. An unknown threat actor used the access to inject malicious code into the LMS platform with the goal of infecting site visitors.
Key facts on file
- A critical unauthenticated RCE in KnowledgeDeliver stems from identical pre-shared ASP.NET machine keys reused across customer deployments, per Mandiant
- An unknown threat actor injected malicious code into the compromised LMS to infect visiting users
