Mandiant discovered that a single, hard coded ASP.NET machine key in Digital Knowledge's KnowledgeDeliver LMS allowed unauthenticated attackers to remotely execute code via ViewState deserialization. The kill chain involved exploiting CVE 2026 5426 for initial access, deploying the Godzilla (BLUEBEAM) in memory web...

Create a landscape editorial hero image for this Studio Global article: What was the CVE-2026-5426 zero-day vulnerability in the KnowledgeDeliver LMS, how was it exploited by threat actors to deploy Cobalt Strike. Article summary: **CVE-2026-5426** is a critical zero-day vulnerability in **Digital Knowledge KnowledgeDeliver**, a Japanese Learning Management System (LMS) built on ASP.NET. The root cause is a **hard-coded ASP.NET/IIS `machineKey` va. Topic tags: general, government, general web. Reference image context from search candidates: Reference image 1: visual subject "# KnowledgeDeliver LMS Zero-Day Exploited to Deploy BLUEBEAM Web Shell. A newly disclosed zero-day vulnerability in the KnowledgeDeliver Learning Management System (LMS) has been a" source context "KnowledgeDeliver LMS Zero-Day Exploited to Deploy BLUEBEAM ..." Reference image 2: visual subject "# New Knowledge Deliv
A late-2025 incident response investigation by Google's Mandiant uncovered a textbook case of how a single configuration flaw can cascade into a full-blown, multi-stage compromise. The target was KnowledgeDeliver, a popular Japanese Learning Management System (LMS) built on ASP.NET. The root cause was a static, hard-coded ASP.NET machineKey shipped identically in every customer deployment . This critical weakness, tracked as CVE-2026-5426, gave unknown threat actors unauthenticated remote code execution (RCE) on Internet-facing LMS servers. They leveraged this foothold not just to control the server, but to transform a trusted educational platform into a watering hole, ultimately deploying Cobalt Strike Beacon backdoors onto the workstations of unsuspecting visitors
.
The severity of CVE-2026-5426 stems from a fundamental design failure. The machineKey element in an ASP.NET application's web.config file is meant to be a unique, cryptographically secure secret used for encrypting and validating sensitive data like ViewState and forms authentication tickets. Digital Knowledge shipped a single, static machineKey—containing both the validationKey and decryptionKey—in the standard configuration file for every KnowledgeDeliver customer .
Because the key was identical across all deployments and was hard-coded, it became a publicly known secret. An attacker who obtained this key could forge a malicious, serialized ViewState payload. By sending this payload in a POST request to any .aspx page, they could bypass ASP.NET's tamper-proofing mechanisms. The server would accept the forged ViewState as legitimate and deserialize it, allowing the attacker to execute arbitrary code on the underlying IIS web server without any authentication . The NVD assigned the flaw a CVSS score of 7.5 (High), reflecting the ease of network-based exploitation by an unauthenticated attacker
.
Mandiant's investigation documented a sophisticated, multi-stage attack that weaponized the platform against its own users .
The attacker initiated the compromise by locating a publicly exposed KnowledgeDeliver login page and sending a carefully crafted HTTP POST request. The body of this request contained a malicious ViewState forged using the known hard-coded machine key. Upon deserialization, the payload executed code with the privileges of the IIS worker process, giving the attacker an initial unauthenticated foothold on the server .
To maintain long-term access, the attacker deployed an in-memory web shell known as Godzilla, which Mandiant tracks internally as BLUEBEAM. This .NET-based tool allowed the threat actor to execute commands, upload files, and manage the compromised server without leaving malicious .aspx files on disk, making detection via simple file scanning much harder .
With a persistent command channel established, the attacker used the web shell to modify the JavaScript files served by the LMS platform. They injected a remote script that displayed a fake security alert or prompt to end-users visiting the compromised site. This social engineering component was the critical pivot point, turning the server compromise into a direct threat to every student or employee using the LMS .
The injected script redirected victims to download what appeared to be a necessary plugin or installer. In reality, the downloaded file was a Cobalt Strike Beacon payload. This highly capable backdoor established a persistent connection to the attacker's command-and-control infrastructure, granting them complete remote access to the victim's workstation. Mandiant noted that the payload file was encrypted using the compromised organization's name as a key, strongly suggesting the attackers were specifically preparing payloads for their intended targets .
Based on their analysis, Mandiant outlined immediate and long-term actions for defenders with affected KnowledgeDeliver deployments :
machineKey: The most critical step is to immediately replace the hard-coded machineKey in the web.config file with a newly generated, cryptographically random key that is unique to your specific deployment. This negates the core of the CVE-2026-5426 vulnerability .aspx pages, which are a strong indicator of ViewState exploitation attempts. Use endpoint detection and response (EDR) tools to scan the server and network for Indicators of Compromise (IOCs) related to the Godzilla web shell or Cobalt Strike Beacon This incident serves as a stark reminder that security defaults in third-party software are critical. A single shared secret, baked into a widely used product, can provide a skeleton key for attackers to not only breach servers but also weaponize a trusted application against its entire user base.
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
Mandiant discovered that a single, hard coded ASP.NET machine key in Digital Knowledge's KnowledgeDeliver LMS allowed unauthenticated attackers to remotely execute code via ViewState deserialization.
Mandiant discovered that a single, hard coded ASP.NET machine key in Digital Knowledge's KnowledgeDeliver LMS allowed unauthenticated attackers to remotely execute code via ViewState deserialization. The kill chain involved exploiting CVE 2026 5426 for initial access, deploying the Godzilla (BLUEBEAM) in memory web shell for persistence, and modifying the LMS to serve a fake installer that delivered the final payl...
Organizations using KnowledgeDeliver versions prior to February 24, 2026 are at risk.