ViewState Deserialization RCE in KnowledgeDeliver LMS: Japanese Educational Sector at Risk
Mandiant identified a critical remote code execution vulnerability in KnowledgeDeliver, a Learning Management System widely deployed in Japanese educational institutions, exploitable through unsafe .NET ViewState deserialisation. Active exploitation has been confirmed in the wild.
CVE References
Affected
In late 2025, Mandiant responded to active exploitation of KnowledgeDeliver, a Learning Management System developed by Digital Knowledge and extensively deployed across Japanese educational institutions. The researchers identified a critical remote code execution vulnerability stemming from unsafe deserialisation of.NET ViewState objects. This vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable servers, providing direct pathways to system compromise.
The technical root cause involves improper handling of ASP.NET ViewState, a serialised object container used to maintain state between HTTP requests. When applications fail to properly validate or encrypt ViewState data, attackers can craft malicious serialised payloads that execute during deserialisation. Modern.NET frameworks include ObjectStateFormatter and related gadget chains that permit remote code execution when exploited by skilled attackers. KnowledgeDeliver's implementation appears to lack sufficient protections against this well-understood attack vector, despite years of public guidance on ViewState security.
The affected population is significant: KnowledgeDeliver serves as a central educational platform in Japan, with deployment across universities, secondary schools, and corporate training programmes. A successful compromise exposes student records, course materials, authentication credentials, and institutional infrastructure. The LMS often integrates with other systems, creating lateral movement opportunities for threat actors.
Organisations running KnowledgeDeliver should immediately apply patches from Digital Knowledge and implement network segmentation to restrict LMS accessibility. Web application firewalls should be configured to detect and block ViewState-based exploitation attempts. System administrators should audit access logs for suspicious deserialisation activity and conduct incident response on any exposed instances.
This incident reflects a broader pattern: regional or niche software products often receive less security scrutiny than mainstream alternatives, making them attractive targets. The LMS sector, already stressed by infrastructure demands, represents a high-value target for ransomware groups seeking to disrupt education and extort institutions. Mandiant's disclosure and the public CVE should accelerate patching, but defenders must assume exploitation will continue for months among lagging organisations.
Sources