A high-severity vulnerability in the KnowledgeDeliver LMS platform has been actively exploited as a zero-day to deliver web shells and post-exploitation malware, including Cobalt Strike Beacon.
Cybersecurity researchers from Google Mandiant and the Google Threat Intelligence Group (GTIG) have revealed that threat actors are exploiting a now-patched vulnerability in the Digital Knowledge KnowledgeDeliver Learning Management System (LMS) to gain unauthorized access to servers and deploy advanced attack tools.
The flaw, tracked as CVE-2026-5426, was used in real-world attacks before a fix was issued in February 2026.
Hard-Coded ASP.NET Keys Enable Remote Code Execution
The vulnerability originates from the use of hard-coded ASP.NET machine keys in KnowledgeDeliver deployments. These static keys are used to sign and encrypt ViewState data within the ASP.NET framework.
If an attacker obtains these shared keys from one vulnerable instance, they can reuse them to compromise other exposed installations running the same configuration.
This enables unauthenticated attackers to craft malicious ViewState payloads that are processed by the server, resulting in remote code execution through deserialization attacks.
Security researchers note that similar exploitation techniques have previously been observed in other enterprise platforms, including Sitecore Experience Manager and Gladinet CentreStack.
Attack Chain: From LMS Compromise to Full System Control
According to GTIG analysis, exploitation of CVE-2026-5426 allowed attackers to establish deep control over affected systems.
The attack typically followed a multi-stage sequence:
- Initial unauthorized access via malicious ViewState payloads
- Deployment of the Godzilla (BLUEBEAM) web shell
- Execution of system commands and file system manipulation
- Modification of application files to inject malicious JavaScript
- Delivery of fake security prompts to end users
Once inside, attackers altered file permissions—granting broad access rights to web directories—allowing persistent manipulation of the LMS environment.
Fake Security Plugins Used for User Infection
After compromising the LMS platform, attackers modified legitimate web content to inject JavaScript that displayed fraudulent security alerts.
Users visiting the compromised LMS portal were prompted to install a so-called “security authentication plugin.” In reality, this installer acted as a delivery mechanism for additional malware.
The injected script loaded external resources from attacker-controlled infrastructure, enabling the next stage of the attack.
Cobalt Strike Deployed for Post-Exploitation Activity
Victims who executed the fake installer ultimately received Cobalt Strike Beacon, a widely used post-exploitation framework often associated with advanced persistent threat (APT) operations and ransomware groups.
Cobalt Strike enabled attackers to:
- Maintain persistent access to compromised systems
- Execute remote commands
- Move laterally across internal networks
- Deploy additional payloads for deeper infiltration
Researchers also observed payloads that were encrypted using organization-specific identifiers, indicating highly targeted and pre-planned operations.
Shared Secrets Amplify Risk Across LMS Deployments
One of the most significant risks identified in CVE-2026-5426 is the use of identical machineKey values across multiple deployments.
Because these keys were included in standardized configuration templates, a single compromise could be leveraged to attack all systems using the same defaults.
This design flaw dramatically expands the blast radius of a single intrusion and highlights the dangers of reused cryptographic secrets in enterprise software deployments.
Industry-Wide Concern Over Deserialization Attacks
The exploitation of KnowledgeDeliver follows a broader trend of attackers targeting insecure deserialization flaws in ASP.NET-based applications.
Security experts emphasize that ViewState-based attacks remain highly effective when machine keys are exposed or reused, allowing attackers to bypass authentication entirely.
Security Recommendations
Organizations using KnowledgeDeliver or similar ASP.NET-based platforms are strongly advised to take immediate action:
- Upgrade to patched versions released after February 24, 2026
- Replace all hard-coded or shared ASP.NET machine keys with unique values
- Monitor for unauthorized ViewState or deserialization activity
- Audit web directories for unauthorized script modifications
- Review logs for signs of web shell activity (e.g., Godzilla/BLUEBEAM indicators)
- Restrict and validate file system permissions on web application directories
Conclusion
The exploitation of CVE-2026-5426 underscores how configuration weaknesses can be just as dangerous as coding flaws. By abusing shared machine keys, attackers were able to transform a vulnerable LMS platform into a full attack staging ground for web shells and enterprise-grade malware.
Security analysts warn that organizations relying on default or shared cryptographic configurations remain highly exposed to similar large-scale compromise campaigns.
