Executive Summary
In late 2025, attackers exploited a zero-day vulnerability (CVE-2026-5426) in Digital Knowledge's KnowledgeDeliver Learning Management System (LMS). This flaw, stemming from hardcoded ASP.NET machineKey values across deployments, allowed unauthenticated remote code execution via malicious ViewState deserialization. Exploiting this, threat actors deployed the Godzilla (BlueBeam) web shell, enabling further system compromise and the distribution of Cobalt Strike beacons to users through malicious scripts embedded in the platform.
This incident underscores the critical risks associated with default configurations and hardcoded cryptographic keys in web applications. The exploitation of such vulnerabilities highlights the necessity for organizations to implement unique, secure configurations and to stay vigilant against emerging threats targeting widely-used platforms.
Why This Matters Now
The active exploitation of CVE-2026-5426 in KnowledgeDeliver LMS demonstrates the ongoing threat posed by zero-day vulnerabilities in widely-used platforms. Organizations must prioritize updating default configurations and implementing unique cryptographic keys to mitigate such risks.
Attack Path Analysis
Attackers exploited a hard-coded machineKey in KnowledgeDeliver to execute remote code, deployed the Godzilla web shell for persistent access, escalated privileges to manipulate the web server's file system, moved laterally to infect user systems via malicious scripts, established command and control through Cobalt Strike beacons, and exfiltrated sensitive data from compromised systems.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the hard-coded ASP.NET/IIS machineKey in KnowledgeDeliver deployments prior to February 24, 2026, allowing them to bypass ViewState validation and execute remote code.
Related CVEs
CVE-2026-5426
CVSS 9.1A hard-coded ASP.NET/IIS machineKey in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026, allows adversaries to bypass ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks.
Affected Products:
Digital Knowledge KnowledgeDeliver – < 2026-02-24
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: PowerShell
Server Software Component: Web Shell
Valid Accounts
Exploitation for Defense Evasion
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity Management
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Higher Education/Acadamia
Learning management systems like KnowledgeDeliver are critical infrastructure in education, making institutions highly vulnerable to web application exploitation and data breaches.
E-Learning
Digital learning platforms face severe risk from ViewState deserialization attacks, potentially compromising student data and educational content delivery through web shell deployment.
Financial Services
Previously targeted by Godzilla web shell attacks via ASP.NET vulnerabilities, requiring enhanced egress security and anomaly detection for web application protection.
Information Technology/IT
IT service providers managing web applications face critical exposure to zero-day exploits requiring multicloud visibility, threat detection, and secure hybrid connectivity controls.
Sources
- KnowledgeDeliver flaw exploited as a zero-day to install web shellshttps://www.bleepingcomputer.com/news/security/knowledgedeliver-flaw-exploited-as-a-zero-day-to-install-web-shells/Verified
- KnowledgeDeliver ViewState Deserialization Vulnerabilityhttps://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerabilityVerified
- MNDT-2026-0009: KnowledgeDeliver ViewState Deserialization Vulnerabilityhttps://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.mdVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly within the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute remote code may have been constrained, reducing the likelihood of successful initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and manipulate the web server's file system could have been limited, reducing the scope of their control.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally and infect user systems may have been constrained, limiting the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels could have been limited, reducing their remote control capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, limiting data loss.
The overall impact of the attack could have been reduced, limiting unauthorized access and service disruptions.
Impact at a Glance
Affected Business Functions
- Learning Management System Operations
- User Authentication Services
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of user credentials and course materials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
- • Deploy Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.
- • Utilize Cloud Firewall (ACF) to control outbound traffic and prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate vulnerabilities like CVE-2026-5426.



