A currently patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver, a popular learning management system (LMS) in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.
The vulnerability, tracked as CVE-2026-5426 (CVSS score: 7.5), results from the use of a hardcoded ASP.NET machine key, resulting in unauthenticated remote code execution via a ViewState deserialization attack. Attacker exploitation of publicly available ASP.NET machine keys was first documented by Microsoft in February 2025.
“An unknown attacker used this access to inject malicious code into the LMS platform with the goal of infecting users who visited the site,” Google Mandiant and the Google Threat Intelligence Group (GTIG) said in a statement.
This security flaw affected deployments of Digital Knowledge KnowledgeDeliver prior to February 24, 2026. It is worth noting that similar vulnerabilities in Sitecore Experience Manager (XM), Gladinet CentreStack, and TrioFox were also exploited by threat actors.
The root of this problem lies in the fact that the KnowledgeDeliver installation relies on a standardized vendor-provided web.config file that contains a hard-coded machineKey value that is used by the ASP.NET framework to encrypt and sign data, including the ViewState payload.
As a result, an attacker who obtains a key from one deployment can potentially misuse that key to compromise other Internet-facing KnowledgeDeliver instances.
“ASP.NET ViewState preserves page state between postbacks,” Google said. “Once the machineKey is known, a threat actor can create a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can have the server deserialize it.”
Observed activity related to CVE-2026-5426 shows attackers deploying the Godzilla (aka BLUEBEAM) web shell, giving it the ability to execute commands and drop additional payloads.
Among the commands executed was one that gave “everyone” full access to the web application directory, giving it more control over the web server’s file system. The attackers then modified the application’s JavaScript files and included code that displayed fake security warnings and prompted users to install a “security authentication plugin.”
In parallel, the unauthorized modification made it possible to surreptitiously load a malicious script hosted on an attacker-controlled domain. This script tricks users into downloading a fake installer and ultimately infects their machines with Cobalt Strike Beacon.
“The payload was encrypted using a key with the name of the compromised organization, indicating that the threat actor prepared this payload specifically for the targeted organization,” Google said.
“The KnowledgeDeliver exploit highlights the serious risks of using shared secrets in deployment templates. Compromise of a single key can compromise the entire ecosystem of an installation. By implementing proprietary secrets and robust endpoint monitoring, organizations can defend against these deserialization attacks.”
Source link
