Key Takeaways

- CVE-2026-5426 allowed unauthenticated remote code execution via ViewState deserialization attacks
- All KnowledgeDeliver installations before Feb. 24, 2026 used identical hardcoded machine keys
- Attackers deployed the Godzilla web shell and Cobalt Strike beacons for persistent access
Hackers exploited a critical zero-day vulnerability in KnowledgeDeliver, an enterprise learning management system, to deploy the Godzilla web shell and gain persistent access to victim networks. Mandiant disclosed the attack in a report published today.
The flaw, tracked as CVE-2026-5426, is a deserialization vulnerability that requires no authentication to exploit. It exists because KnowledgeDeliver shipped with identical hardcoded ASP.NET machine keys across every customer deployment. Attackers who obtained this key could sign malicious ViewState payloads and achieve remote code execution at the operating system level.
How the Attack Worked
Mandiant responded to an attack on a KnowledgeDeliver server in late 2025. At that time, no patch existed. The vulnerability was exploited as a zero-day to inject malicious scripts into the web platform.
“KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.”
— Mandiant
The attackers used ViewState deserialization to sign malicious payloads. ViewState is a mechanism ASP.NET uses to preserve page and control values between postbacks. When signed with the correct machine key, a malicious ViewState payload executes code on the server without triggering security checks.
Once inside, the threat actors deployed Godzilla, a .NET-based in-memory web shell also known as BlueBeam. Microsoft observed similar attacks using Godzilla in late 2024. ASEC reported in August 2024 that the same web shell targeted financial sector companies through ViewState deserialization attacks.
From Web Shell to Cobalt Strike
The attackers escalated their access after deploying the web shell. They executed commands to gain control over the web server's file system, then modified an application JavaScript file with code prompting users to install a fake "security authentication plugin."
The malicious code convinced users to download a fake installer that infected machines with a Cobalt Strike beacon. This gave attackers a persistent backdoor into the compromised organization.
The payload was customized for each victim. According to Mandiant, the encryption key used the name of the compromised organization, indicating the threat actor prepared this payload specifically for the targeted organization.
The Hardcoded Key Problem
This attack follows a pattern. Over the past year, hackers have repeatedly exploited improperly secured machine keys in ViewState deserialization attacks. In March 2025, attackers abused a hardcoded machine key to access Gladinet CentreStack's secure file-sharing servers.
The root cause is a fundamental security failure: shipping software with the same cryptographic key across all installations. When one key is compromised, every deployment becomes vulnerable.
Security practitioners on Hacker News criticized this practice as a "default-insecure" configuration and a systemic failure in enterprise software design.


Logicity's Take
What Organizations Should Do
KnowledgeDeliver installations deployed before February 24, 2026 are vulnerable. Organizations should take immediate action.
- Update to the patched version of KnowledgeDeliver immediately
- Generate unique machine keys for your deployment
- Review web server logs for signs of ViewState deserialization attacks
- Hunt for Godzilla web shell indicators and Cobalt Strike beacons
- Check for unauthorized modifications to JavaScript files
If your organization ran a vulnerable version, treat it as a potential breach. The zero-day was exploited before the patch existed, meaning attackers may already have access.
Another recent breach involving enterprise systems and attacker persistence
Another example of default-insecure configurations creating security risks
Frequently Asked Questions
What is CVE-2026-5426?
CVE-2026-5426 is a critical deserialization vulnerability in the KnowledgeDeliver learning management system. It allows unauthenticated attackers to execute remote code by exploiting a shared hardcoded ASP.NET machine key.
What is the Godzilla web shell?
Godzilla, also known as BlueBeam, is a .NET-based in-memory web shell. Attackers use it to maintain persistent access to compromised servers and execute commands remotely.
Which KnowledgeDeliver versions are affected?
All KnowledgeDeliver installations deployed before February 24, 2026 are vulnerable. These versions used a standardized web.config file with hardcoded machine key values.
What is a ViewState deserialization attack?
ViewState is an ASP.NET mechanism that preserves page data between postbacks. When attackers know the machine key used to sign ViewState, they can craft malicious payloads that execute code on the server when deserialized.
How do I know if my KnowledgeDeliver server was compromised?
Check for unauthorized modifications to JavaScript files, look for Godzilla web shell indicators in memory, and search for Cobalt Strike beacons. Review web server logs for unusual ViewState submissions.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
Browse all
SD-WAN Security Flaw: What CEOs Must Do by Friday
CISA has flagged an actively exploited vulnerability in Cisco's SD-WAN Manager, giving federal agencies just four days to patch. For enterprises running Cisco SD-WAN infrastructure, this isn't just a government mandate. It's a wake-up call about network security debt that could cost millions in breach response.

Apache ActiveMQ Vulnerability: 6,400 Servers at Risk
A critical 13-year-old security flaw in Apache ActiveMQ is now being actively exploited, putting over 6,400 enterprise message brokers at immediate risk. For businesses running Java applications, this vulnerability could mean unauthorized code execution on your servers. CISA has ordered federal agencies to patch by April 30, signaling the severity of this threat.

KelpDAO Hack: $290M Crypto Heist Hits DeFi Protocols
North Korean state hackers allegedly stole $290 million from KelpDAO by exploiting cross-chain verification systems. The attack forced major lending protocols including Aave to freeze operations, raising urgent questions about DeFi security for institutional investors.

Seiko USA Breach 2026: What E-Commerce Leaders Must Know
The Seiko USA website defacement exposes critical vulnerabilities in Shopify-based retail operations. This attack demonstrates how threat actors are increasingly targeting brand-name companies through their e-commerce platforms, with potential customer data exposure and ransom demands creating both financial and reputational risks for businesses of all sizes.



