Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment
A zero-day vulnerability in the KnowledgeDeliver learning management system allowed attackers to exploit hardcoded machineKey values in configuration files to perform ViewState deserialization attacks, leading to remote code execution. This enabled deployment of Godzilla web shells and Cobalt Strike backdoors, facilitating persistent unauthorized access and further malicious activity. The vulnerability affects all KnowledgeDeliver deployments prior to February 24, 2026. Mandiant has provided indicators of compromise and recommends monitoring and key rotation. No official patch is mentioned in the available data.
AI Analysis
Technical Summary
The KnowledgeDeliver LMS, widely used in enterprise and educational environments primarily in Japan, contains a zero-day vulnerability (CVE-2026-5426) due to hardcoded machineKey values in its standardized web.config file. These keys are used by ASP.NET for encryption and signing. Because the same machineKey is reused across deployments, attackers who know the key can craft malicious ViewState payloads that the server will deserialize, resulting in remote code execution. Exploitation led to deployment of Godzilla (Bluebeam) web shells in memory, modification of web application permissions and scripts, and installation of Cobalt Strike backdoors tailored to victim organizations. The vulnerability is critical with a CVSS score of 7.5 but no patch or official fix is currently documented.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary code on affected KnowledgeDeliver servers, deploy persistent web shells, modify application files, and install backdoors such as Cobalt Strike. This compromises confidentiality, integrity, and availability of the LMS environment and potentially connected systems. The attack can be targeted and customized per victim, increasing risk of data breaches and further network compromise.
Mitigation Recommendations
No official patch or fix is currently documented. Mandiant recommends rotating the machineKey values in KnowledgeDeliver instances to invalidate the hardcoded keys used in attacks. Organizations should also restrict access to the LMS environment and monitor for indicators of compromise provided by Mandiant. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment
Description
A zero-day vulnerability in the KnowledgeDeliver learning management system allowed attackers to exploit hardcoded machineKey values in configuration files to perform ViewState deserialization attacks, leading to remote code execution. This enabled deployment of Godzilla web shells and Cobalt Strike backdoors, facilitating persistent unauthorized access and further malicious activity. The vulnerability affects all KnowledgeDeliver deployments prior to February 24, 2026. Mandiant has provided indicators of compromise and recommends monitoring and key rotation. No official patch is mentioned in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The KnowledgeDeliver LMS, widely used in enterprise and educational environments primarily in Japan, contains a zero-day vulnerability (CVE-2026-5426) due to hardcoded machineKey values in its standardized web.config file. These keys are used by ASP.NET for encryption and signing. Because the same machineKey is reused across deployments, attackers who know the key can craft malicious ViewState payloads that the server will deserialize, resulting in remote code execution. Exploitation led to deployment of Godzilla (Bluebeam) web shells in memory, modification of web application permissions and scripts, and installation of Cobalt Strike backdoors tailored to victim organizations. The vulnerability is critical with a CVSS score of 7.5 but no patch or official fix is currently documented.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary code on affected KnowledgeDeliver servers, deploy persistent web shells, modify application files, and install backdoors such as Cobalt Strike. This compromises confidentiality, integrity, and availability of the LMS environment and potentially connected systems. The attack can be targeted and customized per victim, increasing risk of data breaches and further network compromise.
Mitigation Recommendations
No official patch or fix is currently documented. Mandiant recommends rotating the machineKey values in KnowledgeDeliver instances to invalidate the hardcoded keys used in attacks. Organizations should also restrict access to the LMS environment and monitor for indicators of compromise provided by Mandiant. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/hackers-exploited-knowledgedeliver-zero-day-for-web-shell-deployment/","fetched":true,"fetchedAt":"2026-05-26T11:17:12.491Z","wordCount":1057}
Threat ID: 6a158138891d628fdc1f8b32
Added to database: 5/26/2026, 11:17:12 AM
Last enriched: 5/26/2026, 11:17:20 AM
Last updated: 5/26/2026, 1:54:19 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.