平台
aspnet
组件
aspnet
修复版本
20260224
CVE-2026-5426 describes a critical Remote Code Execution (RCE) vulnerability affecting deployments of Digital Knowledge KnowledgeDeliver using ASP.NET/IIS. The vulnerability stems from a hard-coded machineKey value, which allows attackers to bypass ViewState validation mechanisms. This enables malicious ViewState deserialization attacks, potentially leading to complete system compromise. Affected versions are those prior to February 24, 2026, and a fix is available in version 20260224.
The impact of CVE-2026-5426 is severe. An attacker exploiting this vulnerability can achieve remote code execution on the target server. This means they can execute arbitrary code with the privileges of the ASP.NET application pool identity, potentially gaining full control over the system. The hard-coded machineKey directly facilitates ViewState manipulation, a common attack vector for bypassing security controls. Successful exploitation could lead to data breaches, system takeover, and further lateral movement within the network. This vulnerability is particularly concerning because it bypasses a core security mechanism designed to protect against tampering.
CVE-2026-5426 was publicly disclosed on April 16, 2026. While no public proof-of-concept (PoC) code is currently available, the vulnerability's nature and the ease of ViewState manipulation suggest a high likelihood of exploitation. The hard-coded machineKey significantly lowers the barrier to entry for attackers. Its inclusion in the KEV catalog is pending, but the severity warrants close monitoring. Active campaigns targeting this vulnerability are currently unconfirmed but are a significant concern.
Organizations using Digital Knowledge KnowledgeDeliver deployments with ASP.NET/IIS are at risk, particularly those using older versions prior to 20260224. Shared hosting environments where multiple applications share the same server and configuration are especially vulnerable, as a compromise of one application could potentially expose the machineKey to other applications.
• windows / aspnet:
Get-Process | Where-Object {$_.ProcessName -like '*w3wp*'} | Select-Object -ExpandProperty Id• windows / aspnet:
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\ASP.NET\4.0\Config' -Name machineKey• generic web: Use curl or wget to check for exposed ASP.NET pages and analyze response headers for ViewState information. Look for unusual or unexpected ViewState values. • generic web: Review IIS logs for unusual patterns related to ViewState deserialization attempts.
disclosure
漏洞利用状态
EPSS
0.07% (20% 百分位)
The primary mitigation for CVE-2026-5426 is to upgrade to version 20260224 or later of Digital Knowledge KnowledgeDeliver. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a direct workaround for the hard-coded machineKey is not possible, ensure that ViewState encryption is enabled and properly configured. Review and strengthen application input validation to minimize the impact of potential ViewState manipulation. Monitor ASP.NET logs for suspicious activity related to ViewState deserialization. After upgrading, confirm the fix by attempting a ViewState manipulation attack and verifying that it is blocked.
Actualice KnowledgeDeliver a una versión posterior a la fecha de febrero 24, 2026. Asegúrese de que la configuración de machineKey de ASP.NET/IIS sea segura y no estática para evitar la manipulación de ViewState y posibles ataques de ejecución remota de código.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-5426 is a Remote Code Execution vulnerability in Digital Knowledge KnowledgeDeliver deployments using ASP.NET/IIS, caused by a hard-coded machineKey allowing ViewState manipulation.
You are affected if you are using Digital Knowledge KnowledgeDeliver with ASP.NET/IIS versions prior to 20260224.
Upgrade to version 20260224 or later of Digital Knowledge KnowledgeDeliver. Consider temporary workarounds like enabling ViewState encryption if immediate upgrade is not possible.
While no active exploitation is confirmed, the vulnerability's nature and ease of exploitation suggest a high likelihood of future attacks.
Refer to the Digital Knowledge security advisory for CVE-2026-5426, available on their official website.