Attackers abuse a ViewState weakness in an e-learning platform in Japan, with active exploitation and zero-day use, according to threat responders
On 24 May 2026, threat researchers uncovered a critical flaw in a widely used learning management system that let attackers run code on exposed servers without logging in.
The issue involved a ViewState deserialization weakness in KnowledgeDeliver, an e-learning platform used in Japan, and had already been observed in active exploitation.
The weakness mattered because it did not stop at the server boundary. Once attackers gained control of the application server, they could modify the learning platform itself and potentially target anyone who later visited the site. That meant a single compromised instance could become a delivery point for malicious code, expanding the impact well beyond the original intrusion.
Security teams responding to the problem were told to treat the flaw as urgent, especially if the platform was exposed to the public internet. Typical containment steps included:
- restricting access
- checking for injected or altered web content
- looking for signs that the application had been tampered with outside normal-change control.
- Advising defenders to rotate machine keys to reduce the risk that attackers could reuse forged or stolen material tied to the application
Mandiant researchers said they had uncovered the flaw while responding to a security incident involving a compromised web server. A spokesperson said the team had identified “a critical vulnerability” that allowed unauthenticated remote code execution. This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as CVE-2026-5426.
