KnowledgeDeliver CVE-2026-5426 - ViewState Exploitation Moves Exposure Proof to the Front
Finding: KnowledgeDeliver CVE-2026-5426 ViewState exploitation
Confidence: Medium
KnowledgeDeliver CVE-2026-5426 is the lead item because the current evidence links exploitation to ASP.NET ViewState deserialisation and reused or standardised web.config / machineKey material in deployments before 24 February 2026. Google Cloud / Mandiant reporting is the source anchor and includes hunting guidance, including ASP.NET Application Event Log Event ID 1316 and a GTI IOC collection.
The defensive task is specific. Identify KnowledgeDeliver deployments, prioritise exposed hosts, review ViewState validation failures and related IIS evidence, and make machineKey material unique. Where indicators appear, treat the host as a compromise-review candidate rather than a simple patch ticket.
Finding: Microsoft SharePoint CVE-2026-45659 patch verification
Confidence: High
Microsoft SharePoint Server CVE-2026-45659 enters today's findings as a remote-code-execution patch item. MSRC describes deserialisation of untrusted data where an authorised attacker can execute code over a network.
This does not need inflated language to matter. SharePoint often sits close to identity, documents, partner access and internal workflows. Confirm build levels for SharePoint Server, prioritise internet-facing and partner-accessible estates, and keep the item in the managed patch queue until owners can prove remediation.
Finding: Ubuntu USN-8306-1 Samba vulnerabilities
Confidence: High for vendor patch existence; Low for exploitation context
Ubuntu USN-8306-1 covers Samba issues affecting Ubuntu 25.10 and Ubuntu 26.04 LTS, including CVE-2026-1933 and CVE-2026-2340. The relevant paths are certificate auto-enrolment group-policy verification over HTTP and flawed vfsworm overwrite controls.
The action is routine but still worth routing. Apply USN-8306-1 where Ubuntu Samba packages are present, especially domain-joined Linux systems and Samba servers that rely on immutability controls. Confidence is high that the vendor patch exists; the current evidence does not support a stronger exploitation claim.
Update: Drupal Core CVE-2026-9082 active exploitation
Confidence: Medium
Previously covered in earlier Drupal tracking; today's delta is active exploitation with KEV-driven remediation pressure. Drupal Core CVE-2026-9082 appears here only because the current evidence provides the material update: active exploitation and CISA KEV-linked patching.
Do not treat this as a recycled high-severity mention. Locate externally exposed Drupal, verify CVE-2026-9082 remediation, review web logs and web-shell indicators, and put KEV-listed Drupal instances into priority patch and compromise-review workflows.
Watchlist items deliberately held back
Confidence: Medium
TrapDoor, TeamPCP / Mini Shai-Hulud / Megalodon, UK water-firm breach reporting, Cisco Unified CM chatter, CERT-In guidance, breach notices, npm publishing-control changes and X-only ransomware claims are not findings in this bundle. The evidence set either marks them unchanged, suppresses them, keeps them watchlist-only or lacks material-update proof.
That restraint is part of the value. It keeps today's client action list focused on assets that can be located, patched, hunted or reviewed now.
Why This Matters
The common thread is exposure proof. KnowledgeDeliver needs hunting and key hygiene, SharePoint and Ubuntu need patch verification, and Drupal needs KEV-aligned remediation plus compromise review. These are different tasks, but they all depend on knowing whether the affected product is present, exposed and actually fixed.
- Recommended Actions
- Hunt KnowledgeDeliver/ViewState indicators, including ASP.NET Event ID 1316, ViewState validation failures, suspicious IIS child processes and reused or static machineKey material.
- Verify SharePoint Server remediation for CVE-2026-45659, with priority for internet-facing and partner-accessible systems.
- Apply Ubuntu USN-8306-1 to affected Samba hosts, especially domain-joined Linux servers and systems relying on vfsworm immutability controls.
- Confirm Drupal Core CVE-2026-9082 patch state and run compromise review for externally exposed Drupal sites.
- Keep TrapDoor, TeamPCP-family items and breach-notice stories in watchlist handling until a future evidence set proves a strict material update.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 27 May 2026.