Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to run the Godzilla web shell.
The bug is a deserialization issue tracked as CVE-2026-5426 and can be exploited without authentication. It comes from using a shared hard-coded machine key in the web portal configuration for all KnowledgeDeliver customer deployments.
Look at State dereialization
Threat actors obtained the machine key and used it in a ViewState de-serialization attack to sign malicious ViewState payloads and gain remote code execution at the operating system level.
Mandiant in late 2025 responded to the attack on the KnowledgeDeliver server and says that initially, the vulnerability was exploited as a zero-day to inject malicious script into the web environment.
The exploit was possible due to the use of “the same pre-shared ASP.NET machine keys across multiple client deployments,” the researchers said.
“KnowledgeDeliver installations used before Feb. 24, 2026 depend on a standard web.config file provided by the vendor. This configuration file contains hard-coded machine values used by the ASP.NET framework for data signaling, including ViewState loading,” Mandiant explained.
According to the researchers, the malicious code on site “convinced users to download a fake installer,” which led to the machine being infected with the Cobalt Strike beacon, essentially planting a backdoor.
“The payload was encrypted using a key that used the name of the vulnerable organization, indicating that the threat actor prepared this payload specifically for the target organization,” Mandiant said in a report today.
Delivery of the Godzilla web shell
Mandiant says the threat actor used a .NET-based in-memory web shell, Godzilla (also known as BlueBeam), which was also used in a similar attack seen by Microsoft in late 2024.
In August 2024, researchers at the cybersecurity company ASEC also reported that Godzilla was being deployed in ASP.NET environments in a ViewState de-serialization attack targeting companies in the financial sector.
Mandiant notes that a threat actor compromising KnowledgeDeliver instances has issued commands to escalate its control over the web server’s file system.
This allowed them to modify the app’s JavaScript file with code that prompted users to install a “security verification plugin” and download a malicious script from a domain controlled by the attacker.
Over the past year, hackers have used improperly secured machine keys in ViewState de-serialization attacks targeting web platforms of various brands.
In March of last year, malicious actors misused a hard-coded machine key to create a malicious payload that allowed access to Gladinet CentreStack’s secure file sharing servers.
In July 2025, hackers compromised 85 Microsoft SharePoint servers after stealing a machine key to create a maliciously signed ViewState payload.
State-sponsored actors also used a ViewState deserialization attack to release an inspection tool called WeepSteel on Sitecore servers that exposed the ASP.NET machine key.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls block threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
