Hackers exploited a vital zero-day vulnerability in a server working the KnowledgeDeliver studying administration system (LMS) to deploy the Godzilla internet shell.
The flaw is a deserialization concern tracked as CVE-2026-5426 and may be exploited with out authentication. It stems from the usage of a shared hardcoded machine key within the internet portal configuration throughout all KnowledgeDeliver buyer deployments.
ViewState deserialization
Menace actors obtained the machine key and used it in ViewState deserialization assaults to signal malicious ViewState payloads and obtain distant code execution on the working system stage.
Mandiant in late 2025 responded to an assault on a KnowledgeDeliver server and says that originally, the vulnerability was exploited as a zero-day to inject a malicious script into the net platform.
Exploitation was attainable because of the usage of “similar pre-shared ASP.NET machine keys throughout a number of buyer deployments,” the researchers mentioned.
“KnowledgeDeliver installations deployed earlier than Feb. 24, 2026 relied on a standardized internet.config file supplied by the seller. This configuration file contained hardcoded machineKey values utilized by the ASP.NET framework to encrypt and signal information, together with ViewState payloads,” Mandiant explains.
Based on the researchers, the malicious code on the platform “satisfied customers to obtain a pretend installer,” which led to the machine getting contaminated with a Cobalt Strike beacon, basically planting a backdoor.
“The payload was encrypted utilizing a key that used the title of the compromised group, which indicated that the risk actor ready this payload particularly for the focused group,” Mandiant says in a report right this moment.
Godzilla internet shell supply
Mandiant says the risk actor deployed the .NET-based in-memory internet shell, Godzilla (a.ok.a. BlueBeam), which has additionally been utilized in related assaults noticed by Microsoft in late 2024.
In August 2024, researchers at cybersecurity firm ASEC had additionally reported that Godzilla was being deployed in ASP.NET environments in ViewState deserialization assaults concentrating on corporations within the monetary sector.
Mandiant notes that the risk actor compromising KnowledgeDeliver cases executed instructions to escalate their management over the net server’s file system.
This allowed them to switch an software JavaScript file with code that prompted customers to put in a “safety authentication plugin” and to load a malicious script from a site underneath the attacker’s management.
Over the previous yr, hackers have used improperly secured machine keys in ViewState deserialization assaults concentrating on internet platforms for varied merchandise.
In March final yr, risk actors abused a hardcoded machine key to craft a malicious payload that allowed entry to Gladinet CentreStack’s safe file-sharing servers.
In July 2025, hackers compromised 85 Microsoft SharePoint servers after stealing the machine key to create signed malicious ViewState payloads.
State-sponsored actors additionally used ViewState deserialization assaults to deploy a reconnaissance device named WeepSteel on Sitecore servers that uncovered the ASP.NET machine key.
Automated pentesting instruments ship actual worth, however they have been constructed to reply one query: can an attacker transfer by the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines hearth, or your cloud configs maintain.
This information covers the 6 surfaces you really have to validate.
