Digital Knowledge shipped KnowledgeDeliver LMS with identical ASP.NET machineKey values across all customer deployments, enabling any attacker who recovers those keys to achieve unauthenticated remote code execution via ViewState deserialization on every internet-facing instance deployed before February 24, 2026. Mandiant confirmed active exploitation in late 2025 with deployment of the BLUEBEAM in-memory web shell, Cobalt Strike delivery to end users via tampered JavaScript, and a targeted payload encrypted with the victim organization’s name. The attack pattern is not novel but is confirmed active and the vulnerable population extends to any ASP.NET application using vendor-supplied or shared machineKeys.