Critical Vulnerability in KnowledgeDeliver LMS Exploited to Deploy Godzilla Web Shell and Cobalt Strike
A significant security flaw in Digital Knowledge’s KnowledgeDeliver Learning Management System (LMS), widely used in Japan, has been exploited as a zero-day vulnerability to deploy the Godzilla web shell and facilitate the installation of Cobalt Strike Beacon. This vulnerability, identified as CVE-2026-5426 with a CVSS score of 7.5, arises from the use of hard-coded ASP.NET machine keys, enabling unauthenticated remote code execution through a ViewState deserialization attack.
The exploitation of publicly disclosed ASP.NET machine keys by malicious actors was first documented by Microsoft in February 2025. In this instance, an unidentified threat actor leveraged the vulnerability to inject malicious code into the LMS platform, aiming to infect users visiting the site. Google Mandiant and the Google Threat Intelligence Group (GTIG) have been actively monitoring this activity.
The security flaw affected KnowledgeDeliver deployments prior to February 24, 2026. Similar vulnerabilities have been exploited in other platforms, such as Sitecore Experience Manager (XM) and Gladinet CentreStack and TrioFox.
Technical Details:
The core issue lies in the standardized web.config file provided by the vendor, which contained hard-coded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads. Consequently, if a threat actor obtains the keys from one deployment, they can exploit them to compromise other internet-facing KnowledgeDeliver instances.
The ASP.NET ViewState maintains page state across postbacks. When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request via the __VIEWSTATE parameter, the threat actor can prompt the server to deserialize it, leading to remote code execution.
Attack Methodology:
In the observed exploitation of CVE-2026-5426, attackers deployed the Godzilla (also known as BLUEBEAM) web shell, granting them the capability to execute commands or deploy additional payloads. The attackers executed commands to escalate their control over the web server’s file system by granting Everyone complete access to the web application directory. They then modified an application JavaScript file to display a fake security alert, urging users to install a security authentication plugin.
Simultaneously, the unauthorized modifications allowed the stealthy loading of a malicious script hosted on an attacker-controlled domain. This script convinced users to download a fake installer, ultimately infecting their machines with Cobalt Strike Beacon. The payload was encrypted using a key that incorporated the name of the compromised organization, indicating that the threat actor prepared this payload specifically for the targeted organization.
Implications and Recommendations:
The exploitation of KnowledgeDeliver underscores the severe risks associated with using shared secrets in deployment templates. A single leaked key can compromise an entire ecosystem of installations. Organizations are advised to implement unique secrets and robust endpoint monitoring to defend against such deserialization attacks.
To mitigate the risk, organizations using KnowledgeDeliver should:
– Update their KnowledgeDeliver installations to the latest version that addresses this vulnerability.
– Replace any hard-coded machine keys with unique, securely generated keys.
– Conduct thorough audits of their systems to detect any signs of compromise.
– Educate users about the dangers of downloading and installing software from untrusted sources.
By taking these steps, organizations can enhance their security posture and reduce the likelihood of similar attacks in the future.
