Hackers exploited a critical zero-day vulnerability in a server running the **KnowledgeDeliver** learning management system (LMS) to deploy the **Godzilla** web shell. ### The CVE-2026-5426 Vulnerability The flaw is a deserialization issue tracked as **CVE-2026-5426** and can be exploited without authentication. It stems from the use of a shared hardcoded machine key in the web portal configuration across all **KnowledgeDeliver** customer deployments. The vulnerability was disclosed by **Mandiant**. ### ViewState Deserialization Attack Threat actors obtained the machine key and used it in ViewState deserialization attacks to sign malicious ViewState payloads and achieve remote code execution at the operating system level. **Mandiant** responded to an attack on a **KnowledgeDeliver** server in late 2025 and determined that the vulnerability was initially exploited as a zero-day to inject a malicious script into the web platform. Exploitation was possible due to the use of “identical pre-shared ASP.NET machine keys across multiple customer deployments,” the researchers said. “**KnowledgeDeliver** installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads,” **Mandiant** explains. According to the researchers, the malicious code on the platform “convinced users to download a fake installer,” which led to the machine getting infected with a **Cobalt Strike** beacon, essentially planting a backdoor. “The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” **Mandiant** says in their report. ### Godzilla Web Shell Delivery **Mandiant** says the threat actor deployed the .NET-based in-memory web shell, **Godzilla** (a.k.a. BlueBeam), which has also been used in similar attacks observed by **Microsoft** in late 2024. In August 2024, researchers at **ASEC** had also reported that **Godzilla** was being deployed in ASP.NET environments in ViewState deserialization attacks targeting companies in the financial sector. **Mandiant** notes that the threat actor compromising **KnowledgeDeliver** instances executed commands to escalate their control over the web server's file system. This allowed them to modify an application JavaScript file with code that prompted users to install a “security authentication plugin” and to load a malicious script from a domain under the attacker’s control. ### A Pattern of ViewState Deserialization Attacks Over the past year, hackers have used improperly secured machine keys in ViewState deserialization attacks targeting web platforms for various products. In March last year, threat actors abused a hardcoded machine key to craft a malicious payload that allowed access to **Gladinet CentreStack's** secure file-sharing servers. In July 2025, hackers compromised 85 **Microsoft SharePoint** servers after stealing the machine key to create signed malicious ViewState payloads. State-sponsored actors also used ViewState deserialization attacks to deploy a reconnaissance tool named WeepSteel on **Sitecore** servers that exposed the ASP.NET machine key.  ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)