Hackers exploited a important zero-day vulnerability in a server working the KnowledgeDeliver studying administration system (LMS) to deploy the Godzilla net shell.
The flaw is a deserialization problem tracked as CVE-2026-5426 and could be exploited with out authentication. It stems from the usage of a shared hardcoded machine key within the net portal configuration throughout all KnowledgeDeliver buyer deployments.
ViewState deserialization
Menace actors obtained the machine key and used it in ViewState deserialization assaults to signal malicious ViewState payloads and obtain distant code execution on the working system degree.
Mandiant in late 2025 responded to an assault on a KnowledgeDeliver server and says that originally, the vulnerability was exploited as a zero-day to inject a malicious script into the online platform.
Exploitation was potential as a consequence of the usage of “equivalent pre-shared ASP.NET machine keys throughout a number of buyer deployments,” the researchers stated.
“KnowledgeDeliver installations deployed earlier than Feb. 24, 2026 relied on a standardized net.config file offered by the seller. This configuration file contained hardcoded machineKey values utilized by the ASP.NET framework to encrypt and signal knowledge, together with ViewState payloads,” Mandiant explains.
In keeping with the researchers, the malicious code on the platform “satisfied customers to obtain a faux installer,” which led to the machine getting contaminated with a Cobalt Strike beacon, basically planting a backdoor.
“The payload was encrypted utilizing a key that used the title of the compromised group, which indicated that the risk actor ready this payload particularly for the focused group,” Mandiant says in a report as we speak.
Godzilla net shell supply
Mandiant says the risk actor deployed the .NET-based in-memory net shell, Godzilla (a.okay.a. BlueBeam), which has additionally been utilized in related assaults noticed by Microsoft in late 2024.
In August 2024, researchers at cybersecurity firm ASEC had additionally reported that Godzilla was being deployed in ASP.NET environments in ViewState deserialization assaults concentrating on corporations within the monetary sector.
Mandiant notes that the risk actor compromising KnowledgeDeliver cases executed instructions to escalate their management over the online server’s file system.
This allowed them to change an software JavaScript file with code that prompted customers to put in a “safety authentication plugin” and to load a malicious script from a site below the attacker’s management.
Over the previous 12 months, hackers have used improperly secured machine keys in ViewState deserialization assaults concentrating on net platforms for varied merchandise.
In March final 12 months, risk actors abused a hardcoded machine key to craft a malicious payload that allowed entry to Gladinet CentreStack’s safe file-sharing servers.
In July 2025, hackers compromised 85 Microsoft SharePoint servers after stealing the machine key to create signed malicious ViewState payloads.
State-sponsored actors additionally used ViewState deserialization assaults to deploy a reconnaissance software named WeepSteel on Sitecore servers that uncovered the ASP.NET machine key.
Automated pentesting instruments ship actual worth, however they had been constructed to reply one query: can an attacker transfer via the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines fireplace, or your cloud configs maintain.
This information covers the 6 surfaces you truly must validate.
