← All articles

KnowledgeDeliver LMS zero-day CVE-2026-5426 deploys Godzilla web shell via ViewState deserialization - shared hardcoded ASP.NET machine keys across customers

Mandiant has disclosed that attackers exploited a zero-day in the KnowledgeDeliver learning management system (CVE-2026-5426) to deploy the Godzilla in-memory web shell and a custom-encrypted Cobalt Strike beacon. The flaw is a deserialization issue tied to identical pre-shared ASP.NET machine keys distributed in the vendor's default web.config across all customer deployments installed before February 24, 2026. With the shared machineKey, an attacker forges signed ViewState payloads and achieves unauthenticated RCE at the OS level. The threat actor escalated control to modify the platform's JavaScript files, prompting users to install a fake 'security authentication plugin' that delivered the Cobalt Strike payload.

Check
Inventory KnowledgeDeliver LMS installations and the deployment date. Check web.config for hardcoded machineKey values. Search IIS logs for unusual ViewState payloads since late 2025.
Affected
All KnowledgeDeliver LMS installations deployed before February 24, 2026. The hardcoded ASP.NET machineKey is shared across all customers, enabling forged ViewState attacks for unauthenticated RCE.
Fix
Rotate machineKey to unique per-deployment values immediately. Patch to the latest KnowledgeDeliver release. Hunt for Godzilla/BlueBeam in-memory web shells and Cobalt Strike beacons across IIS application pools.