INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
KnowledgeDeliver flaw exploited as zero-day web shells
| 2026-05-26 20:07 CRITICAL HIGHExecutive Summary AI-generated
State-sponsored actors have been exploiting a critical zero-day vulnerability in the KnowledgeDeliver learning management system (LMS) to deploy malicious web shells, compromising sensitive data and disrupting operations. The flaw allows hackers to inject a malicious script into the web platform using identical pre-shared ASP.NET machine keys across multiple customer deployments. This has led to widespread attacks on various organizations, including financial institutions and government agencies. Researchers have identified similar vulnerabilities in other systems, such as Microsoft SharePoint servers, highlighting the need for immediate action to patch these weaknesses before they can be exploited by malicious actors.
Technical Mitigations AI-generated
* Implement secure ViewState deserialization: Ensure that all web applications, including those using KnowledgeDeliver LMS, use secure ViewState deserialization mechanisms to prevent malicious code execution.
* Use secure machine key management: Implement a standardized and secure method for managing ASP.NET machine keys across multiple customer deployments. This can include using environment variables or configuration files instead of hardcoded values.
* Regularly update and patch software: Keep all software, including KnowledgeDeliver LMS, up-to-date with the latest security patches to prevent exploitation of known vulnerabilities like CVE-2026-5426.
* Implement secure authentication and authorization: Ensure that all web applications use secure authentication and authorization mechanisms to prevent unauthorized access and remote code execution attacks.
* Monitor for suspicious activity: Regularly monitor system logs, network traffic, and user behavior for signs of suspicious activity or potential exploitation attempts.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Cobalt StrikeCobalt Strike
CVE-2026-5426CVE-2026-5426
Target & Sectors
JP
Incident Timeline
late 2024
Threat actors deployed the Godzilla web shell delivery via a .NET-based in-memory exploit.
Click on any entity below to view its context and source!
organisation
Godzilla (a.k.a. BlueBeam
Godzilla web shell delivery
Mandiant says the threat actor deployed the .NET-based in-memory web shell, Godzilla (a.k.a. BlueBeam), which has also been used in
similar attacks observed by Microsoft
in late 2024.
organisation
Microsoft
Godzilla web shell delivery
Mandiant says the threat actor deployed the .NET-based in-memory web shell, Godzilla (a.k.a. BlueBeam), which has also been used in
similar attacks observed by Microsoft
in late 2024.
August 2024
Threat actors exploited a zero-day vulnerability in the KnowledgeDeliver web application to install malicious web shells on targeted systems.
Click on any entity below to view its context and source!
organisation
ASEC
In August 2024, researchers at cybersecurity company ASEC had also
reported
that Godzilla was being deployed in ASP.NET environments in ViewState deserialization attacks targeting companies in the financial sector.
February 2025
Threat actors exploited publicly disclosed ASP.NET machine keys to install web shells.
Click on any entity below to view its context and source!
organisation
ASP.NET
The abuse of publicly disclosed ASP.NET machine keys by threat actors was
first documented
by Microsoft in February 2025.
organisation
Microsoft
The abuse of publicly disclosed ASP.NET machine keys by threat actors was
first documented
by Microsoft in February 2025.
2025/05/26
Threat actors exploited a hardcoded machine key to craft malicious payloads that allowed access to Gladinet CentreStack's secure file-sharing servers.
Click on any entity below to view its context and source!
organisation
CentreStack
In March last year, threat actors
abused a hardcoded machine key
to craft a malicious payload that allowed access to Gladinet CentreStack's secure file-sharing servers.
late 2025
Mandiant discovered that the KnowledgeDeliver server was initially targeted with a zero-day exploit to inject malicious code into its web platform.
Click on any entity below to view its context and source!
organisation
Mandiant
Mandiant in late 2025 responded to an attack on a KnowledgeDeliver server and says that initially, the vulnerability was exploited as a zero-day to inject a malicious script into the web platform.
July 2025
Threat actors exploited a zero-day vulnerability in Microsoft SharePoint to compromise 85 servers.
Click on any entity below to view its context and source!
organisation
Microsoft SharePoint
In July 2025, hackers
compromised 85 Microsoft SharePoint servers
after stealing the machine key to create signed malicious ViewState payloads.
infrastructure
85 SharePoint servers
In July 2025, hackers
compromised 85 Microsoft SharePoint servers
after stealing the machine key to create signed malicious ViewState payloads.
Feb. 24, 2026
Threat actors exploited a zero-day vulnerability in KnowledgeDeliver installations deployed before February 24, 2026.
Click on any entity below to view its context and source!
observable
web.config
“KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor.
February 24, 2026
Threat actors exploited a zero-day vulnerability in Digital Knowledge KnowledgeDeliver to install web shells on affected systems.
Click on any entity below to view its context and source!
organisation
Digital Knowledge KnowledgeDeliver
The security flaw impacted Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026.
2026/05/26
Threat actors exploited a zero-day vulnerability in the KnowledgeDeliver web application to install web shells on targeted systems.
May 26, 2026
Threat actors exploited a high-severity vulnerability in Digital Knowledge KnowledgeDeliver to deliver the Godzilla web shell.
Click on any entity below to view its context and source!
malware
Cobalt Strike
Ravie Lakshmanan
May 26, 2026
Vulnerability / Threat Intelligence
A now-patched high-severity security flaw affecting Digital Knowledge
KnowledgeDeliver
, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.
target_region
Japan
Ravie Lakshmanan
May 26, 2026
Vulnerability / Threat Intelligence
A now-patched high-severity security flaw affecting Digital Knowledge
KnowledgeDeliver
, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.
attribution
Vulnerability / Threat Intelligence
Ravie Lakshmanan
May 26, 2026
Vulnerability / Threat Intelligence
A now-patched high-severity security flaw affecting Digital Knowledge
KnowledgeDeliver
, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.
attribution
Digital Knowledge
KnowledgeDeliver
Ravie Lakshmanan
May 26, 2026
Vulnerability / Threat Intelligence
A now-patched high-severity security flaw affecting Digital Knowledge
KnowledgeDeliver
, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.
attribution
Learning Management System
Ravie Lakshmanan
May 26, 2026
Vulnerability / Threat Intelligence
A now-patched high-severity security flaw affecting Digital Knowledge
KnowledgeDeliver
, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.
attribution
LMS
Ravie Lakshmanan
May 26, 2026
Vulnerability / Threat Intelligence
A now-patched high-severity security flaw affecting Digital Knowledge
KnowledgeDeliver
, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.
2026/05/26
Threat actors exploited a KnowledgeDeliver LMS flaw to deploy the Godzilla web shell.
Click on any entity below to view its context and source!
organisation
ViewState
The vulnerability, tracked as
CVE-2026-5426
(CVSS score: 7.5), stems from the use of hard-coded ASP.NET machine keys, leading to unauthenticated remote code execution via a ViewState deserialization attack.
ViewState deserialization
Threat actors obtained the machine key and used it in ViewState deserialization attacks to sign malicious ViewState payloads and achieve remote code execution at the operating system level.
organisation
KnowledgeDeliver
The problem is rooted in the fact that KnowledgeDeliver installations relied on a standardized web.config file provided by the vendor that contained hard-coded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.
KnowledgeDeliver flaw exploited as a zero-day to install web shells.
organisation
Hackers
Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell.
organisation
LMS
Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell.
organisation
ASP.NET
Exploitation was possible due to the use of “identical pre-shared ASP.NET machine keys across multiple customer deployments,” the researchers said.
organisation
Google
"The ASP.NET ViewState persists page state across postbacks," Google said.
Tactical Metrics
Metrics
infrastructure
85
Sharepoint Servers
Click for context!
In July 2025, hackers
compromised 85 Microsoft SharePoint servers
after stealing the machine key to create signed malicious ViewState payloads.
Intelligence Sources
The Hacker News
2026-05-26
BleepingComputer
2026-05-26
KnowledgeDeliver flaw exploited as a zero-day to install web shells
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-26T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
13x
organisation
Identified Entity
ViewState
entity
10x
timeline
Temporal Reference
Feb. 24, 2026
date
6x
attribution
Attributing Entity
State
authority
2x
tactic
Cyber Operation Type
Reconnaissance
tactic
Contextual Telemetry
Context Block
7 METRICS
vulnerability
Exploited CVE
CVE-2026-5426
cve
malware
Offensive Tool
Cobalt Strike
tool
tactic
MITRE ATT&CK Technique
T1059.007 - JavaScript
technique
infrastructure
Sharepoint Servers
85
sharepoint servers
general metric
Surfaces
6
surfaces
target region
Target Country
Japan
country
general metric
Vulnerability
8
vulnerability
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.