Skip to main content
Emerging ThreatsMalware & Ransomware

KnowledgeDeliver LMS Flaw Exploited to Deploy Malware

Laptop on student desk shows login screen in bright campus library setting.

"An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site," Google Mandiant and Google Threat Intelligence Group (GTIG) said.

CVE-2026-5426: a predictable secret became a remote code execution vector

The vulnerability, tracked as CVE-2026-5426 and carrying a CVSS score of 7.5, resulted from KnowledgeDeliver installations shipping with a standardized web.config file that contained hard-coded ASP.NET machineKey values. Those keys are used by the ASP.NET framework to encrypt and sign state data, including ViewState payloads. When the machineKey is known, an attacker can craft a malicious ViewState payload and force the server to deserialize it — producing unauthenticated remote code execution.

The abusive technique is not wholly new: the exploitation of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, and the KnowledgeDeliver issue made that risk concrete for deployments prior to February 24, 2026. The affected product — Digital Knowledge KnowledgeDeliver, a learning management system popular in Japan — has since been patched.

How the attackers turned a deserialization flaw into a covert install of Cobalt Strike

Google Mandiant and GTIG trace the observed intrusion through several discrete steps. Exploitation of the ViewState deserialization delivered the Godzilla web shell (aka BLUEBEAM), which gave the attacker command execution on the web server.

  • The actor executed commands to escalate file-system control, explicitly granting "Everyone" complete access to the web application directory.
  • They modified an application JavaScript file to show a fake security alert that urged users to install a "security authentication plugin."
  • The altered page loaded a malicious script from an attacker-controlled domain, which in turn convinced site visitors to download a fake installer.
  • The installer delivered Cobalt Strike Beacon to infected endpoints; the payload was encrypted with a key incorporating the compromised organization's name, indicating the attacker prepared organization-specific payloads.

Scope, related incidents, and the ecosystem risk

Google noted the flaw affected KnowledgeDeliver deployments that had not been updated prior to February 24, 2026. The report also situates this incident among similar exploitation patterns: Sitecore Experience Manager (XM) and Gladinet CentreStack and TrioFox have previously been abused by threat actors leveraging analogous weaknesses in shared or publicly disclosed secrets. The common thread is reuse or leakage of standardized secrets across multiple installations — a single leaked key can compromise an entire ecosystem.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: The attack underscores the risk in deployment templates that include hard-coded secrets. Google recommends implementing unique secrets per deployment and maintaining robust endpoint monitoring so deserialization attacks and post-exploitation modifications (for example, JavaScript tampering or unauthorized file-permission changes) can be detected.
  • Procurement leaders and IT buyers: Relying on vendor-supplied default configurations can create systemic exposure across customer environments. Buyers should require documentation of secret management practices and validate that vendors do not distribute standardized machineKey values or equivalent shared secrets.
  • End users and administrators of LMS deployments: Sites should confirm they have applied the patch and inspect web-facing JavaScript and other assets for unauthorized changes; the observed social-engineering step presented a fake security prompt designed to trick visitors into installing a malicious "plugin."

Conclusion

The KnowledgeDeliver incident is a compact demonstration of how a single operational decision — shipping identical machineKey values in a supplied configuration file — can turn a platform into an avenue for both server-side compromise and downstream endpoint infection. The chain from a ViewState deserialization to Godzilla web shell implantation to tailored Cobalt Strike Beacon deliveries shows that attackers will combine server misconfiguration, web-level tampering, and user-facing social engineering in a single campaign. Google’s closing prescription — unique secrets per deployment plus robust monitoring — maps precisely to the failure vector that allowed this intrusion.

Original story