Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell.
The flaw is a deserialization issue tracked as CVE-2026-5426 and can be exploited without authentication. It stems from the use of a shared hardcoded machine key in the web portal configuration across all KnowledgeDeliver customer deployments.
ViewState deserialization
Threat actors obtained the machine key and used it in ViewState deserialization attacks to sign malicious ViewState payloads and achieve remote code execution at the operating system level.
Mandiant in late 2025 responded to an attack on a KnowledgeDeliver server and says that initially, the vulnerability was exploited as a zero-day to inject a malicious script into the web platform.
Exploitation was possible due to the use of “identical pre-shared ASP.NET machine keys across multiple customer deployments,” the researchers said.
“KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads,” Mandiant explains.
According to the researchers, the malicious code on the platform “convinced users to download a fake installer,” which led to the machine getting infected with a Cobalt Strike beacon, essentially planting a backdoor.
“The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” Mandiant says in a report today.
Godzilla web shell delivery
Mandiant says the threat actor deployed the .NET-based in-memory web shell, Godzilla (a.k.a. BlueBeam), which has also been used in similar attacks observed by Microsoft in late 2024.
In August 2024, researchers at cybersecurity company ASEC had also reported that Godzilla was being deployed in ASP.NET environments in ViewState deserialization attacks targeting companies in the financial sector.
Mandiant notes that the threat actor compromising KnowledgeDeliver instances executed commands to escalate their control over the web server’s file system.
This allowed them to modify an application JavaScript file with code that prompted users to install a “security authentication plugin” and to load a malicious script from a domain under the attacker’s control.
Over the past year, hackers have used improperly secured machine keys in ViewState deserialization attacks targeting web platforms for various products.
In March last year, threat actors abused a hardcoded machine key to craft a malicious payload that allowed access to Gladinet CentreStack’s secure file-sharing servers.
In July 2025, hackers compromised 85 Microsoft SharePoint servers after stealing the machine key to create signed malicious ViewState payloads.
State-sponsored actors also used ViewState deserialization attacks to deploy a reconnaissance tool named WeepSteel on Sitecore servers that exposed the ASP.NET machine key.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
