KnowledgeDeliver Zero-Day Exploited to Deploy Godzilla Web Shell
Key Takeaways
- CVE-2026-5426 allowed unauthenticated remote code execution via ViewState deserialization attacks
- All KnowledgeDeliver installations before Feb. 24, 2026 used identical hardcoded machine keys
- Attackers deployed the Godzilla web shell and Cobalt Strike beacons for persistent access
Hackers exploited a critical zero-day vulnerability in KnowledgeDeliver, an enterprise learning management system, to deploy the Godzilla web shell and gain persistent access to victim networks. Mandiant disclosed the attack in a report published today.
The flaw, tracked as CVE-2026-5426, is a deserialization vulnerability that requires no authentication to exploit. It exists because KnowledgeDeliver shipped with identical hardcoded ASP.NET machine keys across every customer deployment. Attackers who obtained this key could sign malicious ViewState payloads and achieve remote code execution at the operating system level.
How the Attack Worked
Mandiant responded to an attack on a KnowledgeDeliver server in late 2025. At that time, no patch existed. The vulnerability was exploited as a zero-day to inject malicious scripts into the web platform.
“KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.”
— Mandiant
The attackers used ViewState deserialization to sign malicious payloads. ViewState is a mechanism ASP.NET uses to preserve page and control values between postbacks. When signed with the correct machine key, a malicious ViewState payload executes code on the server without triggering security checks.
Once inside, the threat actors deployed Godzilla, a .NET-based in-memory web shell also known as BlueBeam. Microsoft observed similar attacks using Godzilla in late 2024. ASEC reported in August 2024 that the same web shell targeted financial sector companies through ViewState deserialization attacks.
From Web Shell to Cobalt Strike
The attackers escalated their access after deploying the web shell. They executed commands to gain control over the web server's file system, then modified an application JavaScript file with code prompting users to install a fake "security authentication plugin."
The malicious code convinced users to download a fake installer that infected machines with a Cobalt Strike beacon. This gave attackers a persistent backdoor into the compromised organization.
The payload was customized for each victim. According to Mandiant, the encryption key used the name of the compromised organization, indicating the threat actor prepared this payload specifically for the targeted organization.
The Hardcoded Key Problem
This attack follows a pattern. Over the past year, hackers have repeatedly exploited improperly secured machine keys in ViewState deserialization attacks. In March 2025, attackers abused a hardcoded machine key to access Gladinet CentreStack's secure file-sharing servers.
The root cause is a fundamental security failure: shipping software with the same cryptographic key across all installations. When one key is compromised, every deployment becomes vulnerable.
Security practitioners on Hacker News criticized this practice as a "default-insecure" configuration and a systemic failure in enterprise software design.
Logicity's Take
What Organizations Should Do
KnowledgeDeliver installations deployed before February 24, 2026 are vulnerable. Organizations should take immediate action.
- Update to the patched version of KnowledgeDeliver immediately
- Generate unique machine keys for your deployment
- Review web server logs for signs of ViewState deserialization attacks
- Hunt for Godzilla web shell indicators and Cobalt Strike beacons
- Check for unauthorized modifications to JavaScript files
If your organization ran a vulnerable version, treat it as a potential breach. The zero-day was exploited before the patch existed, meaning attackers may already have access.
Another recent breach involving enterprise systems and attacker persistence
Another example of default-insecure configurations creating security risks
Frequently Asked Questions
What is CVE-2026-5426?
CVE-2026-5426 is a critical deserialization vulnerability in the KnowledgeDeliver learning management system. It allows unauthenticated attackers to execute remote code by exploiting a shared hardcoded ASP.NET machine key.
What is the Godzilla web shell?
Godzilla, also known as BlueBeam, is a .NET-based in-memory web shell. Attackers use it to maintain persistent access to compromised servers and execute commands remotely.
Which KnowledgeDeliver versions are affected?
All KnowledgeDeliver installations deployed before February 24, 2026 are vulnerable. These versions used a standardized web.config file with hardcoded machine key values.
What is a ViewState deserialization attack?
ViewState is an ASP.NET mechanism that preserves page data between postbacks. When attackers know the machine key used to sign ViewState, they can craft malicious payloads that execute code on the server when deserialized.
How do I know if my KnowledgeDeliver server was compromised?
Check for unauthorized modifications to JavaScript files, look for Godzilla web shell indicators in memory, and search for Cobalt Strike beacons. Review web server logs for unusual ViewState submissions.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
PC Makers Scramble to Answer Apple's $599 MacBook Neo
Intel's new Wildcat Lake processors are powering a wave of budget Windows laptops designed to compete with Apple's surprisingly cheap MacBook Neo. But rising component costs and pricing uncertainty leave PC makers struggling to match Apple's value proposition.
10 Most Satisfying Car Brands to Own in 2026
Consumer Reports' 2026 owner satisfaction study reveals Rivian leads with 85% of owners willing to buy again. The rankings show a shift toward tech-heavy brands over traditional reliability metrics, with Tesla, Genesis, and legacy names like BMW competing for loyal customers.
Starlette Flaw Exposes Millions of AI Agents to Credential Theft
A critical vulnerability in the Starlette framework lets attackers bypass authentication on servers running AI agents and steal credentials for email, databases, and cloud services. The flaw affects FastAPI, vLLM, LiteLLM, and most MCP servers. A patch is available, but automated exploitation was detected within 48 hours of disclosure.