Critical Zero-Day Vulnerability in KnowledgeDeliver LMS Exploited to Deploy BLUEBEAM Web Shell
A recently uncovered zero-day vulnerability in the KnowledgeDeliver Learning Management System (LMS) has been actively exploited to deploy the BLUEBEAM in-memory web shell, as detailed in Mandiant’s latest incident response report. This flaw, now identified as CVE-2026-5426, allows unauthenticated remote code execution (RCE) and affects deployments that utilized default ASP.NET configuration settings prior to February 24, 2026.
Background on KnowledgeDeliver LMS
Developed by Japan-based Digital Knowledge, KnowledgeDeliver is a widely adopted LMS in both enterprise and educational sectors. Its extensive use makes it a significant target for cyber threats, especially when vulnerabilities are present.
Details of the Vulnerability
Mandiant’s investigation into a late-2025 breach revealed that the compromise originated from insecure cryptographic practices within the KnowledgeDeliver LMS. Specifically, the reuse of identical ASP.NET machine keys across multiple customer installations was identified as the root cause. These machine keys are crucial for securing ViewState data, a mechanism that preserves page state between requests in ASP.NET applications.
The hardcoding and sharing of machineKey values across different instances allowed attackers who obtained these keys from one instance to forge malicious ViewState payloads and reuse them across other exposed servers. By crafting a serialized payload and delivering it through the __VIEWSTATE parameter in HTTP requests, the threat actor forced the server to deserialize untrusted data, effectively achieving remote code execution.
This attack method is reminiscent of previously documented ViewState deserialization attacks observed in platforms such as Sitecore and earlier campaigns highlighted by Microsoft involving exposed machine keys.
Deployment of BLUEBEAM Web Shell
Following initial access, the attacker deployed BLUEBEAM, a .NET-based web shell also known as Godzilla. Unlike traditional web shells that rely on files stored on disk, BLUEBEAM operates entirely in memory within the IIS worker process (w3wp.exe), significantly reducing its forensic footprint. The malware communicates through encrypted HTTP POST requests, allowing attackers to execute commands, upload payloads, and maintain persistence without triggering conventional file-based detection mechanisms.
Further Exploitation and Social Engineering Tactics
The intrusion did not stop at server-side access. Mandiant observed the attacker modifying file system permissions using icacls to grant broad access rights, effectively weakening security controls on the compromised host. Additionally, legitimate JavaScript files within the LMS were tampered with to inject malicious code. This code displayed a fraudulent security alert prompting users to install a so-called authentication plugin, while simultaneously loading external scripts from attacker-controlled infrastructure.
This social engineering component led to downstream infections. Users who downloaded the fake plugin were infected with a Cobalt Strike Beacon payload, a widely abused post-exploitation framework. Notably, the payload was encrypted with a key derived from the victim organization’s name, indicating targeted, pre-compromise reconnaissance by the threat actor.
Detection and Mitigation Strategies
Detection opportunities for this activity exist but require careful monitoring of application and system behavior. Windows Application logs may contain ASP.NET Event ID 1316 entries indicating ViewState validation failures or anomalies. In some cases, successfully crafted payloads generated invalid ViewState errors that still resulted in deserialization and code execution.
To mitigate the risk associated with this vulnerability, organizations using KnowledgeDeliver LMS should:
1. Update Machine Keys: Ensure that each deployment has unique, securely generated machine keys to prevent unauthorized ViewState manipulation.
2. Apply Security Patches: Regularly update the LMS and underlying systems to incorporate the latest security patches and fixes.
3. Monitor Logs: Implement robust logging and monitoring to detect unusual activities, such as unexpected ViewState errors or unauthorized file modifications.
4. Educate Users: Train users to recognize phishing attempts and avoid downloading unverified plugins or software.
By taking these proactive measures, organizations can enhance their security posture and reduce the likelihood of successful exploitation of such vulnerabilities.
