Hackers exploited a crucial zero-day vulnerability in a server operating the KnowledgeDeliver finding out control gadget (LMS) to deploy the Godzilla internet shell.
The flaw is a deserialization factor tracked as CVE-2026-5426 and may also be exploited with out authentication. It stems from the usage of a shared hardcoded device key within the internet portal configuration throughout all KnowledgeDeliver buyer deployments.
ViewState deserialization
Risk actors received the device key and used it in ViewState deserialization assaults to signal malicious ViewState payloads and succeed in far flung code execution on the working gadget stage.
Mandiant in overdue 2025 replied to an assault on a KnowledgeDeliver server and says that to begin with, the vulnerability used to be exploited as a zero-day to inject a malicious script into the internet platform.
Exploitation used to be imaginable because of the usage of “equivalent pre-shared ASP.NET device keys throughout a couple of buyer deployments,” the researchers stated.
“KnowledgeDeliver installations deployed earlier than Feb. 24, 2026 depended on a standardized internet.config dossier supplied by means of the seller. This configuration dossier contained hardcoded machineKey values utilized by the ASP.NET framework to encrypt and signal knowledge, together with ViewState payloads,” Mandiant explains.
In step with the researchers, the malicious code at the platform “satisfied customers to obtain a pretend installer,” which ended in the device getting inflamed with a Cobalt Strike beacon, necessarily planting a backdoor.
“The payload used to be encrypted the use of a key that used the identify of the compromised group, which indicated that the risk actor ready this payload particularly for the focused group,” Mandiant says in a record lately.
Godzilla internet shell supply
Mandiant says the risk actor deployed the .NET-based in-memory internet shell, Godzilla (a.okay.a. BlueBeam), which has additionally been utilized in equivalent assaults noticed by means of Microsoft in overdue 2024.
In August 2024, researchers at cybersecurity corporate ASEC had additionally reported that Godzilla used to be being deployed in ASP.NET environments in ViewState deserialization assaults focused on corporations within the monetary sector.
Mandiant notes that the risk actor compromising KnowledgeDeliver cases achieved instructions to escalate their regulate over the internet server’s dossier gadget.
This allowed them to change an software JavaScript dossier with code that triggered customers to put in a “safety authentication plugin” and to load a malicious script from a website below the attacker’s regulate.
Over the last 12 months, hackers have used improperly secured device keys in ViewState deserialization assaults focused on internet platforms for more than a few merchandise.
In March ultimate 12 months, risk actors abused a hardcoded device key to craft a malicious payload that allowed get entry to to Gladinet CentreStack’s protected file-sharing servers.
In July 2025, hackers compromised 85 Microsoft SharePoint servers after stealing the device key to create signed malicious ViewState payloads.
State-sponsored actors extensively utilized ViewState deserialization assaults to deploy a reconnaissance instrument named WeepSteel on Sitecore servers that revealed the ASP.NET device key.
Automatic pentesting gear ship actual worth, however they have been constructed to reply to one query: can an attacker transfer during the community? They weren’t constructed to check whether or not your controls block threats, your detection regulations hearth, or your cloud configs dangle.
This information covers the 6 surfaces you in truth wish to validate.
Obtain Now
