Skip to main content
Emerging ThreatsMalware & Ransomware

Hackers Exploit KnowledgeDeliver Flaw to Install Web Shells

Server room with rows of equipment and a blurred laptop screen in the foreground.

CVE-2026-5426 was used as a zero-day to install a .NET web shell — Godzilla — on KnowledgeDeliver servers, researchers say.

CVE-2026-5426 and ViewState deserialization

Researchers at Mandiant report that a critical, unauthenticated deserialization vulnerability in the KnowledgeDeliver learning management system, tracked as CVE-2026-5426, was exploited to achieve remote code execution. The flaw centered on ViewState deserialization: threat actors obtained a machine key used by ASP.NET to sign ViewState payloads and used it to craft malicious, signed ViewState objects that executed code at the operating-system level.

The shared hardcoded machineKey in KnowledgeDeliver's web.config

Mandiant says the root cause was a vendor-supplied standardized web.config file. “KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads,” Mandiant explains. Because installations used “identical pre-shared ASP.NET machine keys across multiple customer deployments,” a single disclosed key allowed attackers to sign malicious payloads against many targets.

Attack chain: malicious script, fake installer, Cobalt Strike beacon, Godzilla web shell

Mandiant describes the operational steps observed. The initial zero-day exploitation injected a malicious script into the KnowledgeDeliver web platform that modified application JavaScript to prompt users to install a “security authentication plugin.” When users were induced to download the fake installer, the endpoint received a Cobalt Strike beacon, providing a backdoor on the host. Mandiant further reports the actor deployed a .NET in-memory web shell known as Godzilla (also referred to as BlueBeam) to maintain remote access and execute commands that escalated control over the web server’s file system.

Evidence of targeted preparation appeared in the payloads themselves: “The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” Mandiant says.

Prior incidents show a recurring pattern with machine keys and ViewState

Mandiant situates this incident in a string of similar intrusions that abused improperly secured ASP.NET machine keys. In August 2024, ASEC researchers reported Godzilla being deployed in ViewState deserialization attacks against ASP.NET environments in the financial sector. Microsoft observed Godzilla in late 2024 as well. In March last year, threat actors abused a hardcoded machine key to craft a malicious payload against Gladinet CentreStack servers. In July 2025, attackers compromised 85 Microsoft SharePoint servers after stealing a machine key and creating signed malicious ViewState payloads. State-sponsored actors also used ViewState deserialization to deploy a reconnaissance tool named WeepSteel on Sitecore servers that exposed an ASP.NET machine key.

What this means for technologists, affected enterprises, and procurement leaders

  • Technologists and security teams: Validate whether KnowledgeDeliver installations in your environment were deployed before Feb. 24, 2026 and check web.config files for hardcoded machineKey values. Watch for indicators of ViewState deserialization exploitation and for web-server modifications that prompt downloads of “security authentication” components, plus detection of in-memory web shells such as Godzilla and Cobalt Strike beacons.
  • Affected enterprises and IT procurement leaders: Confirm whether vendor-supplied standardized configurations were applied and require vendors to remove shared, hardcoded cryptographic keys from distributed configuration files. If an organization-specific encryption key is observed in an attacker payload, assume targeted preparation and prioritize incident response accordingly.

The KnowledgeDeliver case is a clear illustration of an old failure mode: cryptographic secrets distributed as plain text across deployments become single points of failure. Here, identical machineKey values converted a vulnerability in ViewState handling into a broad, unauthenticated remote-execution vector that yielded staged implants, a tailored payload, and a persistent Godzilla web shell. Mandiant’s timeline — an incident response in late 2025 and vendor configurations in place before Feb. 24, 2026 — places this event in a thread of machineKey abuses that security teams have repeatedly seen, and that defenders will need to address directly in vendor configurations and post-deployment validation.

Read the original BleepingComputer report: https://www.bleepingcomputer.com/news/security/knowledgedeliver-flaw-exploited-as-a-zero-day-to-install-web-shells/