KnowledgeDeliver flaw used to deploy Godzilla and Cobalt Strike

A high-severity vulnerability in Digital Knowledge’s KnowledgeDeliver learning management system was exploited to install the Godzilla web shell and deliver Cobalt Strike Beacon, according to researchers. The bug is tracked as CVE-2026-5426 and carries a CVSS score of 7.5. It allowed unauthenticated remote code execution through a malicious ViewState payload.

Google Mandiant and the Google Threat Intelligence Group reported the flaw affected KnowledgeDeliver deployments that used a vendor-supplied web.config file with identical, hard-coded ASP.NET machineKey values. The issue was present in instances prior to February 24, 2026. The machineKey is used by ASP.NET to encrypt and sign data such as ViewState. If that key is known, an attacker can craft a ViewState payload and send it in the __VIEWSTATE parameter to force the server to deserialize and execute arbitrary code. The report states: “The ASP.NET ViewState persists page state across postbacks. When the machineKey is known, a threat actor can craft a malicious ViewState payload.”

In the observed incidents, an unknown threat actor used the vulnerability to inject the Godzilla web shell, also tracked as BLUEBEAM, into the LMS platform. The web shell provided command execution on compromised web servers. The actor changed file-system permissions to grant the Everyone group full access to the web application directory and altered an application JavaScript file to display a fake security alert that prompted visitors to install a “security authentication plugin.”

The modified page loaded a malicious script from an attacker-controlled domain. That script persuaded users to download a fake installer that ultimately installed Cobalt Strike Beacon on their machines. Researchers found the payload was encrypted with a key that included the compromised organization’s name, indicating the attacker prepared the payload for that specific target.

Security teams have previously documented abuse of publicly disclosed ASP.NET machine keys. Microsoft recorded similar exploitation in February 2025, and comparable ViewState deserialization attacks have been used against other products including Sitecore Experience Manager and file-sharing platforms such as Gladinet CentreStack and TrioFox. The root cause in the KnowledgeDeliver cases was the reuse of the same machineKey across multiple installations via a standardized deployment template, allowing a key leaked from one instance to be used against others.

Google Mandiant and the Google Threat Intelligence Group recommended removing shared secrets from deployment templates, ensuring each web.config uses a unique, randomly generated machineKey, applying vendor patches, and monitoring endpoints and logs for signs of ViewState tampering or unexpected file changes. Administrators are advised to review server and application logs for unusual __VIEWSTATE activity, treat potentially affected user systems as compromised, and follow incident response procedures to contain and remediate infections.