Threat actors exploited a critical zero-day vulnerability in KnowledgeDeliver to achieve unauthenticated remote code execution and deploy the Godzilla web shell, a powerful post-exploitation tool commonly used in advanced cyber intrusions.
The vulnerability, tracked as CVE-2026-5426, stems from insecure ASP.NET configuration practices involving shared hardcoded machine keys across customer deployments.
The incident highlights the growing security risks associated with ViewState deserialization attacks, particularly in enterprise web applications relying on improperly managed cryptographic keys.
Root Cause: Shared ASP.NET Machine Keys
The vulnerability originated from the use of identical pre-shared ASP.NET machineKey values embedded within standardized web.config files distributed across multiple KnowledgeDeliver installations.
In ASP.NET environments, machine keys are used to:
- Encrypt ViewState data
- Validate signed application state
- Protect session integrity
When machine keys are reused across multiple deployments, attackers who obtain the key can forge trusted payloads capable of bypassing application security controls.
According to incident analysis, KnowledgeDeliver deployments created before February 24, 2026 relied on these shared machine keys, creating a widespread attack surface across customer environments.
Exploiting ViewState Deserialization for Remote Code Execution
Attackers leveraged the exposed machine keys to perform ViewState deserialization attacks.
ViewState is an ASP.NET mechanism used to preserve page state between requests. When improperly secured, attackers can craft malicious serialized payloads that the server treats as trusted application data.
Using the stolen machine key, threat actors generated signed malicious ViewState payloads capable of executing arbitrary code directly on the web server.
Because the attack required no authentication, it effectively provided pre-authentication remote code execution (RCE) against vulnerable KnowledgeDeliver servers.
Initial Intrusion and Malicious Script Injection
Incident responders observed attackers exploiting the vulnerability as a zero-day in late 2025.
Following successful exploitation, attackers injected malicious JavaScript into the LMS platform itself. The injected code presented users with a fake security-related prompt encouraging them to install what appeared to be a legitimate authentication plugin.
This technique allowed the attackers to pivot from server compromise to endpoint compromise.
Delivery of Cobalt Strike Backdoor
Users who downloaded the fake installer unknowingly infected their systems with a Cobalt Strike beacon.
Cobalt Strike is frequently abused by threat actors as a stealthy post-exploitation framework capable of:
- Establishing persistent remote access
- Executing commands
- Conducting lateral movement
- Deploying additional malware
Researchers noted that the payload was encrypted using a key derived from the victim organization’s name, indicating that the malware was specifically tailored for the targeted environment rather than distributed broadly.
This level of customization strongly suggests a targeted intrusion operation rather than opportunistic mass exploitation.
Deployment of the Godzilla Web Shell
The attackers also deployed the Godzilla web shell, a .NET-based in-memory backdoor also known by the alias:
BlueBeam
Godzilla is widely used in sophisticated attacks because it supports:
- In-memory command execution
- File management
- Persistence operations
- Encrypted communications
- Stealthy post-exploitation activity
By operating primarily in memory, the web shell reduces disk artifacts and complicates forensic analysis.
Researchers observed attackers using Godzilla to escalate control over the compromised server’s file system and modify application components.
Malicious JavaScript Injection and User Targeting
After gaining elevated access, attackers modified existing JavaScript files used by the web application.
The injected code performed two key actions:
- Displayed fake security plugin prompts to users
- Loaded additional malicious scripts from attacker-controlled domains
This method enabled the attackers to weaponize a trusted enterprise platform to distribute malware directly to end users interacting with the LMS environment.
Growing Abuse of ViewState Deserialization Attacks
The KnowledgeDeliver compromise is part of a broader trend involving exploitation of insecure ASP.NET machine keys and ViewState deserialization flaws.
Over the past two years, attackers have increasingly targeted enterprise applications using similar techniques.
Notable examples include:
Gladinet CentreStack Attacks
Threat actors exploited hardcoded machine keys to compromise secure file-sharing environments.
Microsoft SharePoint Breaches
Attackers reportedly compromised dozens of SharePoint servers after obtaining machine keys used to sign malicious ViewState payloads.
Sitecore Exploitation Campaigns
State-sponsored groups deployed reconnaissance malware such as WeepSteel through ViewState deserialization attacks against exposed Sitecore systems.
These incidents demonstrate that improperly managed ASP.NET cryptographic keys remain a high-risk attack vector across enterprise web infrastructure.
Why ViewState Attacks Are So Dangerous
ViewState deserialization attacks are particularly dangerous because they:
- Often bypass authentication requirements
- Abuse trusted application mechanisms
- Execute code directly on the server
- Blend into legitimate ASP.NET traffic patterns
When combined with stolen or hardcoded machine keys, attackers can reliably craft payloads that appear fully legitimate to the application.
This makes detection significantly more difficult than traditional exploit attempts.
Recommended Mitigation and Security Best Practices
Organizations using ASP.NET-based applications should immediately review their configurations for shared or static machine keys.
Recommended security measures include:
Generate Unique Machine Keys Per Deployment
Every ASP.NET environment should use cryptographically unique machine keys.
Rotate Potentially Exposed Keys
Organizations should assume compromise if shared keys were previously used.
Disable Unsafe ViewState Deserialization
Implement secure ViewState validation and restrict deserialization capabilities wherever possible.
Monitor for Suspicious ViewState Activity
Inspect logs for:
- Abnormally large ViewState payloads
- Unexpected serialization activity
- Unauthorized requests targeting ASP.NET pages
Deploy Behavioral Detection
Because web shells like Godzilla operate stealthily in memory, organizations should prioritize:
- Endpoint detection and response (EDR)
- Memory analysis
- Behavioral anomaly detection
Enterprise Web Applications Remain High-Value Targets
The KnowledgeDeliver incident reinforces how enterprise web platforms continue to be prime targets for advanced attackers seeking persistent access and downstream compromise opportunities.
Learning management systems, collaboration tools, and internal portals frequently contain:
- Sensitive organizational data
- Employee credentials
- Trusted user relationships
Compromising these platforms enables attackers not only to access server infrastructure but also to weaponize trusted applications against end users inside the organization.