Cybercriminals took advantage of a critical zero-day vulnerability within a server utilizing the KnowledgeDeliver learning management system (LMS) to introduce the Godzilla web shell.
The vulnerability, known as CVE-2026-5426, is a deserialization flaw that can be exploited without the need for authentication. This issue arises from the utilization of a shared hardcoded machine key in the web portal configuration across all deployments of the KnowledgeDeliver platform.
The attackers acquired the machine key and utilized it in ViewState deserialization attacks to sign malicious payloads, ultimately enabling remote code execution at the operating system level.
Mandiant, in a response to an incident in late 2025 involving a KnowledgeDeliver server breach, revealed that the vulnerability was initially exploited as a zero-day to insert a malicious script into the web platform.
The exploitation was made possible due to the usage of “identical pre-shared ASP.NET machine keys across multiple customer deployments,” as stated by the researchers.
“KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads,” Mandiant explains.
According to the researchers, the malicious code on the platform enticed users to download a fraudulent installer, leading to the installation of a Cobalt Strike beacon, essentially establishing a backdoor.
Mandiant disclosed that the threat actor deployed the .NET-based in-memory web shell, Godzilla (also known as BlueBeam), which had been previously observed in similar attacks documented by Microsoft in late 2024.
In August 2024, cybersecurity firm ASEC reported the deployment of Godzilla in ASP.NET environments during ViewState deserialization attacks targeting financial institutions.
The threat actor compromising KnowledgeDeliver instances executed commands to enhance their control over the web server’s file system.
This allowed them to alter an application JavaScript file with code that prompted users to install a “security authentication plugin” and load a malicious script from a domain controlled by the attacker.
Over the past year, cybercriminals have exploited improperly secured machine keys in ViewState deserialization attacks targeting various web platforms.
Last year in March, threat actors misused a hardcoded machine key to create a malicious payload granting access to Gladinet CentreStack’s secure file-sharing servers.
In July 2025, hackers compromised 85 Microsoft SharePoint servers after obtaining the machine key to produce signed malicious ViewState payloads.
State-sponsored actors also utilized ViewState deserialization attacks to deploy a reconnaissance tool named WeepSteel on Sitecore servers, exposing the ASP.NET machine key.
Automated penetration testing tools provide significant value, but their primary focus is on determining whether an attacker can navigate through the network. These tools are not designed to assess the effectiveness of your security controls, the activation of your detection rules, or the integrity of your cloud configurations.
This comprehensive guide outlines the six critical areas that require validation. Download now to enhance your security posture.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
