KnowledgeDeliver flaw exploited as a zero-day to install web shells

OverviewA critical vulnerability in the KnowledgeDeliver learning management system was abused to plant web shells on affected servers. The flaw, tracked as CVE-2026-5426, enables unauthenticated exploitation that leverages a shared, hardcoded machine key used across KnowledgeDeliver deployments. Attackers used this weakness to sign and deploy malicious payloads via ViewState deserialization, gaining operating-system level control and the ability to execute arbitrary commands on the host.

The Core Flaw: Deserialization and a Shared Machine Key

Technical fault: The vulnerability stems from improper handling of serialized data in the ASP.NET worldview, specifically through ViewState deserialization. When the server trusts signed data, an attacker who can forge the signature can inject executable payloads.
Root cause: Across multiple KnowledgeDeliver installations, the same pre-shared ASP.NET machineKey was present in the web.config configuration shipped by the vendor. This meant that the same cryptographic keys were used to protect and validate data across many customer environments.
Consequence: With knowledge of the machineKey, threat actors could craft malicious ViewState payloads that were accepted by the ASP.NET framework, enabling remote code execution at the OS level without prior authentication.

Timeline and context

Early exploitation: The issue was observed as a zero-day entry point used to inject malicious code into the KnowledgeDeliver platform, prior to public disclosure.
Key condition: Exploitation relied on identical machine keys across numerous customer deployments that were configured using a standardized web.config file provided by KnowledgeDeliver prior to February 24, 2026.
Vendor configuration: The standardized configuration included hardcoded machineKey values that were used by ASP.NET to encrypt and sign data, including ViewState payloads.
Initial impact payload: The attacker’s payload appeared to coerce users into downloading a counterfeit software installer, which in turn introduced a backdoor into the host.
Encryption detail: The malicious payload was encrypted with a key embedded in the organization’s name, indicating that the threat actor prepared the attack with the target in mind.

Godzilla web shell delivery mechanism

Payload type: The attackers deployed a .NET-based in-memory web shell commonly referred to as Godzilla or BlueBeam.
Historical echoes: Godzilla has been observed in similar intrusions affecting ASP.NET environments during ViewState deserialization campaigns, with prior sightings in late 2024 and notes of usage against financial sector targets.
Execution flow: After gaining foothold, the threat actor escalated privileges and altered web application assets to enable persistence and additional command execution capabilities on the server.
Secondary effects: The compromised environment saw modifications to client-facing scripts, prompting users to install a loader that fetched malicious code from the attacker’s domain, effectively extending control over the web server’s file system.

Cross-campaign patterns and earlier incidents

Similar toolsets: Godzilla has appeared in other deserialization-based exploits that abused publicly known machine keys to sign malicious payloads.
Preceding events: In 2024, security researchers noted widespread use of similar techniques in defenses against injection and remote code execution campaigns targeting diverse ASP.NET deployments.
Related cases: Other incidents involved attackers chaining machineKey misuse with payloads that achieved execution on SharePoint servers and other enterprise platforms, illustrating a broader trend of ViewState deserialization abuse.

The validation gap: automated pentesting vs. real defense effectiveness

Core message: Automated pentesting tools excel at determining whether an attacker can move laterally through a network, but they often fail to verify how well a system’s controls block threats, how detection rules fire, or whether cloud configurations remain solid under real-world conditions.
Practical takeaway: The gap highlights the need to assess not only network reachability but also the robustness of security controls, observability, and configuration resilience in deployed environments.
Visual prompt: A communication piece used in conjunction with this topic emphasizes that automated testing answers one question—network movement—while the broader security posture requires validating multiple facets of defense.

Related context and broader landscape

Multi-vector risk: The KnowledgeDeliver case sits within a wider pattern of attackers exploiting deserialization weaknesses and hardcoded cryptographic keys to forge trusted data and execute code remotely.
Expansion of impact: Past incidents have shown attackers leveraging compromised machine keys to load signed malicious payloads across various platforms, including enterprise content services and collaboration tools.
Community and industry notes: Industry researchers have tracked similar campaigns across different products, underscoring the importance of unique, per-deployment cryptographic keys and dynamic, diversified configuration practices.

Six surfaces to validate (high-level concept)

The article discusses the need to validate six distinct security surfaces beyond traditional automated testing. The emphasis is on comprehensive validation that goes beyond whether a foothold is possible and extends to how defenses respond to real attack steps.
In practice, this prompts a broader security testing approach that covers configuration integrity, control effectiveness, detections, and cloud configurations as part of a unified validation framework.

Closing context

The KnowledgeDeliver incident reinforces a recurring lesson in modern software security: shared cryptographic material and uniform configurations can create systemic risk across customer environments.
It also illustrates how a single deserialization vulnerability can cascade into remote code execution and backdoor persistence if attackers can forge trusted state payloads.
The evolving threat landscape emphasizes the importance of diverse, defense-forward validation methods to identify and remediate gaps that automated testing alone may overlook.

KnowledgeDeliver flaw exploited as a zero-day to install web shells

Researchers reveal a critical zero-day in KnowledgeDeliver LMS (CVE-2026-5426) that enables unauthenticated remote code execution via ViewState deserialization by abusing a shared hardcoded ASP.NET machineKey. Hackers deployed the Godzilla/BlueBeam in-memory web shell to take control of servers, sign malicious payloads, and prompt users to install a rogue security plugin, effectively backdooring the host with a Cobalt Strike beacon. Mandiant attributes the exploit to standardized web.config machine keys across deployments prior to Feb 24, 2026, and notes this reflects a broader trend of machine key misuse in ViewState attacks across multiple products.

TechLogHub

May 27, 2026

0 views

KnowledgeDeliver flaw exploited as a zero-day to install web shells

The Core Flaw: Deserialization and a Shared Machine Key

Technical fault: The vulnerability stems from improper handling of serialized data in the ASP.NET worldview, specifically through ViewState deserialization. When the server trusts signed data, an attacker who can forge the signature can inject executable payloads.
Root cause: Across multiple KnowledgeDeliver installations, the same pre-shared ASP.NET machineKey was present in the web.config configuration shipped by the vendor. This meant that the same cryptographic keys were used to protect and validate data across many customer environments.
Consequence: With knowledge of the machineKey, threat actors could craft malicious ViewState payloads that were accepted by the ASP.NET framework, enabling remote code execution at the OS level without prior authentication.

Timeline and context

Early exploitation: The issue was observed as a zero-day entry point used to inject malicious code into the KnowledgeDeliver platform, prior to public disclosure.
Key condition: Exploitation relied on identical machine keys across numerous customer deployments that were configured using a standardized web.config file provided by KnowledgeDeliver prior to February 24, 2026.
Vendor configuration: The standardized configuration included hardcoded machineKey values that were used by ASP.NET to encrypt and sign data, including ViewState payloads.
Initial impact payload: The attacker’s payload appeared to coerce users into downloading a counterfeit software installer, which in turn introduced a backdoor into the host.
Encryption detail: The malicious payload was encrypted with a key embedded in the organization’s name, indicating that the threat actor prepared the attack with the target in mind.

Godzilla web shell delivery mechanism

Payload type: The attackers deployed a .NET-based in-memory web shell commonly referred to as Godzilla or BlueBeam.
Historical echoes: Godzilla has been observed in similar intrusions affecting ASP.NET environments during ViewState deserialization campaigns, with prior sightings in late 2024 and notes of usage against financial sector targets.
Execution flow: After gaining foothold, the threat actor escalated privileges and altered web application assets to enable persistence and additional command execution capabilities on the server.
Secondary effects: The compromised environment saw modifications to client-facing scripts, prompting users to install a loader that fetched malicious code from the attacker’s domain, effectively extending control over the web server’s file system.

Cross-campaign patterns and earlier incidents

Similar toolsets: Godzilla has appeared in other deserialization-based exploits that abused publicly known machine keys to sign malicious payloads.
Preceding events: In 2024, security researchers noted widespread use of similar techniques in defenses against injection and remote code execution campaigns targeting diverse ASP.NET deployments.
Related cases: Other incidents involved attackers chaining machineKey misuse with payloads that achieved execution on SharePoint servers and other enterprise platforms, illustrating a broader trend of ViewState deserialization abuse.

The validation gap: automated pentesting vs. real defense effectiveness

Core message: Automated pentesting tools excel at determining whether an attacker can move laterally through a network, but they often fail to verify how well a system’s controls block threats, how detection rules fire, or whether cloud configurations remain solid under real-world conditions.
Practical takeaway: The gap highlights the need to assess not only network reachability but also the robustness of security controls, observability, and configuration resilience in deployed environments.
Visual prompt: A communication piece used in conjunction with this topic emphasizes that automated testing answers one question—network movement—while the broader security posture requires validating multiple facets of defense.

Related context and broader landscape

Multi-vector risk: The KnowledgeDeliver case sits within a wider pattern of attackers exploiting deserialization weaknesses and hardcoded cryptographic keys to forge trusted data and execute code remotely.
Expansion of impact: Past incidents have shown attackers leveraging compromised machine keys to load signed malicious payloads across various platforms, including enterprise content services and collaboration tools.
Community and industry notes: Industry researchers have tracked similar campaigns across different products, underscoring the importance of unique, per-deployment cryptographic keys and dynamic, diversified configuration practices.

Six surfaces to validate (high-level concept)

The article discusses the need to validate six distinct security surfaces beyond traditional automated testing. The emphasis is on comprehensive validation that goes beyond whether a foothold is possible and extends to how defenses respond to real attack steps.
In practice, this prompts a broader security testing approach that covers configuration integrity, control effectiveness, detections, and cloud configurations as part of a unified validation framework.

Closing context

The KnowledgeDeliver incident reinforces a recurring lesson in modern software security: shared cryptographic material and uniform configurations can create systemic risk across customer environments.
It also illustrates how a single deserialization vulnerability can cascade into remote code execution and backdoor persistence if attackers can forge trusted state payloads.
The evolving threat landscape emphasizes the importance of diverse, defense-forward validation methods to identify and remediate gaps that automated testing alone may overlook.

KnowledgeDeliver flaw exploited as a zero-day to install web shells

More from the Blog

Charter confirms data breach after ShinyHunters extortion threat

CISA Orders Federal Agencies to Patch Actively Exploited Drupal Vulnerability

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

Stay Updated

KnowledgeDeliver flaw exploited as a zero-day to install web shells

More from the Blog

Charter confirms data breach after ShinyHunters extortion threat

CISA Orders Federal Agencies to Patch Actively Exploited Drupal Vulnerability

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

Stay Updated