Blog Details

Hackers exploited a extreme zero-day vulnerability in a server running the KnowledgeDeliver learning administration arrangement (LMS) to deploy the Godzilla net shell.

The flaw is a deserialization project tracked as CVE-2026-5426 and might perhaps presumably presumably moreover be exploited without authentication. It stems from the utilization of a shared hardcoded machine key within the get portal configuration across all KnowledgeDeliver customer deployments.

ViewState deserialization

Chance actors got the machine key and passe it in ViewState deserialization assaults to mark malicious ViewState payloads and fabricate a ways away code execution on the working arrangement degree.

Mandiant in stupid 2025 answered to an assault on a KnowledgeDeliver server and says that initially, the vulnerability used to be exploited as a zero-day to inject a malicious script into the get platform.

Exploitation used to be imaginable which skill of the utilization of “identical pre-shared ASP.NET machine keys across more than one customer deployments,” the researchers mentioned.

“KnowledgeDeliver installations deployed sooner than Feb. 24, 2026 relied on a standardized net.config file supplied by the dealer. This configuration file contained hardcoded machineKey values passe by the ASP.NET framework to encrypt and mark records, including ViewState payloads,” Mandiant explains.

Based fully on the researchers, the malicious code on the platform “convinced users to download a unfounded installer,” which resulted in the machine getting infected with a Cobalt Strike beacon, if truth be told planting a backdoor.

“The payload used to be encrypted the utilization of a key that passe the title of the compromised organization, which indicated that the possibility actor spirited this payload namely for the targeted organization,” Mandiant says in a document this day.

Godzilla net shell supply

Mandiant says the possibility actor deployed the .NET-based fully in-memory net shell, Godzilla (a.ok.a. BlueBeam), which has moreover been passe in identical assaults observed by Microsoft in stupid 2024.

In August 2024, researchers at cybersecurity firm ASEC had moreover reported that Godzilla used to be being deployed in ASP.NET environments in ViewState deserialization assaults focusing on corporations within the monetary sector.

Mandiant notes that the possibility actor compromising KnowledgeDeliver situations carried out instructions to escalate their control over the get server’s file arrangement.

This allowed them to switch an application JavaScript file with code that precipitated users to set up a “security authentication plugin” and to load a malicious script from a arena below the attacker’s control.

True throughout the final year, hackers dangle passe improperly secured machine keys in ViewState deserialization assaults focusing on net platforms for various merchandise.

In March supreme year, possibility actors abused a hardcoded machine key to craft a malicious payload that allowed get entry to to Gladinet CentreStack’s get file-sharing servers.

In July 2025, hackers compromised 85 Microsoft SharePoint servers after stealing the machine key to attain signed malicious ViewState payloads.

State-sponsored actors moreover passe ViewState deserialization assaults to deploy a reconnaissance instrument named WeepSteel on Sitecore servers that uncovered the ASP.NET machine key.