Zero‑day in KnowledgeDeliver LMS exploited to install web shells

At a glance:

• Zero‑day CVE‑2026‑5426 in KnowledgeDeliver LMS allows unauthenticated remote code execution
• Godzilla web shell (aka BlueBeam) deployed via ViewState deserialization
• Mandiant report links exploit to hardcoded ASP.NET machineKey across customer sites

Exploit of Godzilla web shell

The flaw, tracked as CVE‑2026‑5426, is a deserialization bug in the ASP.NET ViewState component that allows an attacker to craft malicious payloads. Because all pre‑February 24 2026 KnowledgeDeliver installations shared a hardcoded machineKey in their web.config files, the same cryptographic key could be reused across thousands of sites. Threat actors leveraged this key to sign malicious ViewState data, achieving remote code execution at the operating‑system level without needing any credentials. Mandiant’s investigation, disclosed in a report released in late 2025, showed that the initial compromise began with a fake installer that dropped a Cobalt Strike beacon onto the compromised server. The beacon was protected by an encryption key that incorporated the name of the targeted organization, indicating a highly tailored payload. The attackers then used the foothold to modify a JavaScript file, prompting users to download a counterfeit security plugin and retrieve a malicious script from a command‑and‑control domain.

Mandiant’s Findings and Mitigation

Mandiant first observed the vulnerability being actively exploited in the wild during an incident response engagement in October 2025. The researchers confirmed that the malicious ViewState payloads were indistinguishable from legitimate session data, evading routine integrity checks. Because the machineKey was embedded in the vendor‑supplied configuration, any site that had not manually overridden it remained vulnerable until a patch was applied. The vendor has since released an out‑of‑band update that replaces the hardcoded key with a randomly generated value and adds validation for ViewState signatures. Customers are advised to upgrade to the latest KnowledgeDeliver version and to rotate any custom machineKey settings immediately. Mandiant also recommends conducting a full inventory of affected servers and scanning for the Godzilla shell artifact, which leaves a distinctive file named godzilla.aspx in the web root.

Broader Context and Outlook

The same class of ViewState deserialization bugs has been abused in unrelated incidents, including a March 2025 attack on Gladinet CentreStack that compromised file‑sharing servers using a hardcoded key. In July 2025, attackers leveraged the technique to compromise 85 Microsoft SharePoint installations, demonstrating the cross‑vendor reach of the flaw. State‑sponsored groups have also weaponized the vulnerability on Sitecore servers, deploying a reconnaissance tool named WeepSteel that exfiltrates the machineKey for further targeting. Security analysts expect additional zero‑day disclosures in the LMS sector as attackers continue to probe shared configuration weaknesses. Organizations are urged to adopt network segmentation and strict outbound filtering to limit post‑exploitation beacon communication. Continued monitoring of threat intel feeds for new Godzilla or similar .NET‑based web shells will be essential to detect repeat attempts before they achieve persistence.