KnowledgeDeliver LMS ViewState Deserialization Flaw (CVE-2026-5426) Exploited for Cobalt Strike Backdoor and Godzilla Malware Deployment
Published
Key Takeaways
- Vulnerability Exploited: Mandiant announced that attackers exploited the CVE-2026-5426 in the KnowledgeDeliver platform.
- ViewState Vulnerability Exploited: Attackers leveraged CVE-2026-5426 via hardcoded ASP.NET machine keys to execute malicious payloads.
- Advanced Post-Exploitation Tactics: The intrusion led to the deployment of the BLUEBEAM web shell and Cobalt Strike BEACON.
A critical flaw in the KnowledgeDeliver Learning Management System (LMS) platform was successfully exploited to inject malicious code. This vulnerability, designated as CVE-2026-5426, enables unauthenticated Remote Code Execution (RCE). The unknown attacker deployed Godzilla malware and persistent access tools such as Cobalt Strike beacons into the affected environments.
KnowledgeDeliver, developed by Digital Knowledge, is commonly used in Japan.
Active Exploitation of CVE-2026-5426
The exploitation of the KnowledgeDeliver LMS occurred in the period leading up to February 24, 2026, according to a Google Threat Intelligence Group (GTIG) report. The vulnerability, tracked as CVE-2026-5426 and initially exploited as a zero-day, stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments.
KnowledgeDeliver installations deployed before February 24, 2026, relied on a standardized web.config file provided by the vendor. This specific configuration file contained hardcoded machineKey values, which the ASP.NET framework uses to encrypt and sign data.
Threat actors exploited this shared cryptographic secret to craft malicious ViewState payloads. By sending these payloads via the __VIEWSTATE HTTP parameter, attackers successfully forced the server to deserialize the data, achieving RCE.
Post-Exploitation: BLUEBEAM and Cobalt Strike BEACON
Following the initial breach, threat actors carried out extensive post-exploitation activities, deploying a highly stealthy in-memory .NET web shell named BLUEBEAM (also known as Godzilla), previously used by other threat actors, including APT41.
They modified application files to display a fake security alert, which silently loaded remote malicious JavaScript. This deceptive mechanism tricked victims into downloading a fake installer, ultimately resulting in the infection of target workstations with a Cobalt Strike BEACON backdoor.
“The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” GTIG said.
Remediation and mitigation:
- Rotate Machine Keys: Immediately generate a unique, cryptographically strong machine key for each KnowledgeDeliver instance; this is the only way to invalidate the shared secret.
- Restrict Access: If possible, limit access to the LMS to known organizational IP address ranges.
- Investigate: Hunt for this activity, and conduct a thorough investigation if any signs of exploitation are identified.
This month, suspected Belarusian state nexus cyberespies were seen targeting Ukraine with a new Cobalt Strike campaign.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular