The KnowledgeDeliver LMS contains a critical zero-day vulnerability (CVE-2026-5426) stemming from the use of a hardcoded ASP.NET machine key in its web portal configuration. This key is shared across all customer deployments, enabling attackers to craft and sign malicious ViewState payloads without authentication. Exploitation leads to remote code execution at the operating system level. Mandiant observed attackers deploying the Godzilla (.NET-based) in-memory web shell and using the access to modify application JavaScript files to deliver malicious scripts and backdoors such as Cobalt Strike beacons. The vulnerability affects versions deployed before February 24, 2026, relying on the vendor’s standardized web.config file. This issue is part of a broader pattern of attacks abusing hardcoded machine keys in ASP.NET environments to achieve code execution and persistent access.

Successful exploitation allows unauthenticated attackers to execute arbitrary code on the KnowledgeDeliver server, leading to full compromise of the web server environment. Attackers can deploy web shells (Godzilla), modify web application files, and trick users into installing malware, resulting in backdoors such as Cobalt Strike beacons. This compromises the confidentiality, integrity, and availability of the affected LMS servers and potentially the networks they reside in. The vulnerability affects all KnowledgeDeliver deployments using the standardized configuration before February 24, 2026.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider mitigating the risk by replacing the hardcoded machine key with unique keys per deployment to prevent ViewState deserialization attacks. Monitoring for signs of compromise and removing any unauthorized web shells or backdoors is advised. Avoid using shared or hardcoded cryptographic keys in ASP.NET applications. Follow vendor updates closely for an official patch or configuration guidance.