KnowledgeDeliver flaw exploited as a zero-day to install web shells

KnowledgeDeliver flaw exploited as a zero-day to install web shells

HomeNewsSecurityKnowledgeDeliver flaw exploited as a zero-day to install web shells

KnowledgeDeliver flaw exploited as a zero-day to install web shells By Ionut Ilascu May 26, 2026 04:07 PM 0 Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell. The flaw is a deserialization issue tracked as CVE-2026-5426 and can be exploited without authentication. It stems from the use of a shared hardcoded machine key in the web portal configuration across all KnowledgeDeliver customer deployments. ViewState deserialization Threat actors obtained the machine key and used it in ViewState deserialization attacks to sign malicious ViewState payloads and achieve remote code execution at the operating system level. Mandiant in late 2025 responded to an attack on a KnowledgeDeliver server and says that initially, the vulnerability was exploited as a zero-day to inject a malicious script into the web platform. Exploitation was possible due to the use of “identical pre-shared ASP.NET machine keys across multiple customer deployments,” the researchers said. “KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads,” Mandiant explains. According to the researchers, the malicious code on the platform “convinced users to download a fake installer,” which led to the machine getting infected with a Cobalt Strike beacon, essentially planting a backdoor. “The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” Mandiant says in a report today. Godzilla web shell delivery Mandiant says the threat actor deployed the .NET-based in-memory web shell, Godzilla (a.k.a. BlueBeam), which has also been used in similar attacks observed by Microsoft in late 2024. In August 2024, researchers at cybersecurity company ASEC had also reported that Godzilla was being deployed in ASP.NET environments in ViewState deserialization attacks targeting companies in the financial sector. Mandiant notes that the threat actor compromising KnowledgeDeliver instances executed commands to escalate their control over the web server's file system. This allowed them to modify an application JavaScript file with code that prompted users to install a “security authentication plugin” and to load a malicious script from a domain under the attacker’s control. Over the past year, hackers have used improperly secured machine keys in ViewState deserialization attacks targeting web platforms for various products. In March last year, threat actors abused a hardcoded machine key to craft a malicious payload that allowed access to Gladinet CentreStack's secure file-sharing servers. In July 2025, hackers compromised 85 Microsoft SharePoint servers after stealing the machine key to create signed malicious ViewState payloads. State-sponsored actors also used ViewState deserialization attacks to deploy a reconnaissance tool named WeepSteel on Sitecore servers that exposed the ASP.NET machine key.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now

Related Articles: Max-severity flaw in ChromaDB for AI apps allows server hijackingIvanti warns of new EPMM flaw exploited in zero-day attacksIvanti fixes EPMM zero-days chained in code execution attacksPalo Alto Networks firewall zero-day exploited for nearly a monthPalo Alto Networks warns of firewall RCE zero-day exploited in attacks 0Day

ASP.NET

Godzilla

KnowledgeDeliver

RCE

Remote Code Execution

ViewState

Zero-Day

Ionut Ilascu Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.

Previous Article

Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now

You may also like:

  Upcoming Webinar Popular Stories Laravel Lang packages hijacked to deploy credential-stealing malware

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Italy disrupts CINEMAGOAL piracy app that stole streaming auth codes

Sponsor Posts AI is a data-breach time bomb: Read the new report

Overdue a password health-check? Audit your Active Directory for free

Protect Your Business from Ecommerce Fraud

33% Rise in Healthcare Credential Theft in 2025: What you need to know

  Upcoming Webinar

Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now

Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Ot