KnowledgeDeliver flaw exploited as a zero-day to install web shells
Recorded: May 26, 2026, 9 p.m.
| Original | Summarized |
KnowledgeDeliver flaw exploited as a zero-day to install web shells News Featured Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign Laravel Lang packages hijacked to deploy credential-stealing malware Netherlands seizes 800 servers of hosting firm enabling cyberattacks Ubiquiti patches three max severity UniFi OS vulnerabilities KnowledgeDeliver flaw exploited as a zero-day to install web shells Charter confirms data breach after ShinyHunters extortion threat Nine ethical hacking & penetration testing courses for $30 How Varonis Atlas integrates Claude Compliance API for AI governance Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityKnowledgeDeliver flaw exploited as a zero-day to install web shells KnowledgeDeliver flaw exploited as a zero-day to install web shells By Ionut Ilascu May 26, 2026 Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Related Articles: 0Day Ionut Ilascu Previous Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories Laravel Lang packages hijacked to deploy credential-stealing malware Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign FBI warns of Kali365 phishing service targeting Microsoft 365 accounts Sponsor Posts Protect Your Business from Ecommerce Fraud 33% Rise in Healthcare Credential Theft in 2025: What you need to know AI is a data-breach time bomb: Read the new report Overdue a password health-check? Audit your Active Directory for free Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
Hackers exploited a zero-day vulnerability within the KnowledgeDeliver learning management system to deploy the Godzilla web shell. This vulnerability, tracked as CVE-2026-5426, arises from a deserialization issue that allows exploitation without requiring authentication. The root cause of the vulnerability lies in the use of identical, hardcoded machine keys shared across multiple KnowledgeDeliver customer deployments, as detailed by Mandiant. These machine keys were used by the ASP.NET framework to encrypt and sign data, including ViewState payloads. Threat actors leveraged this flaw by obtaining the machine key and employing ViewState deserialization attacks to sign malicious ViewState payloads, thereby achieving remote code execution at the operating system level. Mandiant reported that the initial attack involved injecting a malicious script into the web platform. The malicious code successfully tricked users into downloading a fake installer, which subsequently infected the compromised machine with a Cobalt Strike beacon, effectively establishing a backdoor. The payload used for encryption incorporated the name of the compromised organization, indicating that the threat actor tailored the payload specifically for the targeted entity. The deployed offensive tool was the .NET-based, in-memory web shell known as Godzilla (also referred to as BlueBeam), a tool that has been observed in similar attacks against ASP.NET environments by Microsoft in late 2024 and by researchers at ASEC targeting the financial sector in August 2024. Upon compromising the KnowledgeDeliver instances, the threat actors were able to execute commands that escalated their control over the web server's file system. This access permitted modifications to an application JavaScript file, which initiated the installation of a security authentication plugin and loaded a malicious script from a domain controlled by the attacker. The incident highlights a broader pattern where threat actors have repeatedly exploited improperly secured machine keys in ViewState deserialization attacks against various web platforms. For instance, in previous events, attackers have leveraged hardcoded machine keys to gain access to secure file-sharing servers, such as Gladinet CentreStack, and have compromised Microsoft SharePoint servers by stealing these keys to generate signed malicious ViewState payloads. State-sponsored actors have also utilized ViewState deserialization attacks to deploy reconnaissance tools like WeepSteel on Sitecore servers by exposing the ASP.NET machine key. In the context of security validation, automated pentesting tools are valuable because they can determine network traversal capabilities, but they are limited because they focus narrowly on whether an attacker can move through the network rather than validating critical security controls. To provide comprehensive security assurance, organizations must validate six essential surfaces beyond network movement, including whether controls block threats, whether detection rules trigger, and the configuration of cloud settings. |