KnowledgeDeliver Zero‑Day Exploited to Deploy Web Shells

May 27, 2026 Faeem BLOGS 0

Overview On May 26, 2026, researchers disclosed a critical zero‑day vulnerability in the KnowledgeDeliver learning management system (LMS). Tracked as CVE‑2026‑5426, the flaw is a ViewState deserialization issue that can be exploited without authentication. Attackers leveraged this weakness to deploy the Godzilla (BlueBeam) web shell, enabling remote code execution and persistent control over compromised servers.

Root Cause

  • Hardcoded machine keys: KnowledgeDeliver installations deployed before Feb 24, 2026 shipped with identical ASP.NET machineKey values in vendor‑supplied web.config files.
  • ViewState deserialization: Threat actors used these keys to sign malicious payloads, bypassing integrity checks and executing arbitrary code at the OS level.
  • Targeted payloads: Malicious installers were encrypted using organization‑specific keys, showing tailored targeting.

Attack Chain

  1. Initial compromise: Malicious script injected into the LMS platform.
  2. User deception: Victims prompted to download a fake “installer.”
  3. Backdoor deployment: Installer dropped a Cobalt Strike beacon, creating persistence.
  4. Web shell installation: Attackers deployed the Godzilla in‑memory web shell for command execution and file system control.
  5. Escalation: Modified JavaScript files tricked users into installing a fake “security authentication plugin,” loading attacker‑controlled scripts.

Godzilla Web Shell Context

  • First observed in ASP.NET exploitation campaigns in 2024.
  • Used in financial sector attacks (ASEC, 2024).
  • Linked to Microsoft‑tracked ViewState deserialization exploits in late 2024.

Broader Trend of Machine Key Abuse

This incident is part of a wider pattern:

  • Gladinet CentreStack (2025): Hardcoded keys enabled malicious payload injection.
  • Microsoft SharePoint (2025): 85 servers compromised via stolen machine keys.
  • Sitecore (2025): State‑sponsored actors deployed WeepSteel reconnaissance tool.

Required Actions

  • Patch KnowledgeDeliver deployments immediately if installed before Feb 24, 2026.
  • Rotate ASP.NET machine keys to eliminate shared secrets.
  • Monitor ViewState anomalies for signs of tampering.
  • Deploy web shell detection to identify in‑memory threats.
  • Harden server configurations against deserialization exploits.

Final Thought

The KnowledgeDeliver zero‑day highlights how configuration shortcuts — like hardcoded machine keys — can become systemic vulnerabilities across entire customer bases. For defenders, the lesson is clear: cryptographic uniqueness and proactive patching are non‑negotiable in modern security.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.