KnowledgeDeliver flaw exploited as a zero-day to install web shells
2 min read
Certainly, a serious security problem was found in KnowledgeDeliver, a system for online learning. Essentially, hackers found a hidden weakness to break into servers. Notably, this flaw let them secretly take control.
Significantly, the attackers used this flaw to plant a malicious tool called Godzilla. Furthermore, this tool allowed them to steal data and infect computers. Consequently, this shows how important it is for software to have unique, secure keys.
| Target / Product | Attack Vector | Payload / Outcome |
|---|---|---|
| KnowledgeDeliver LMS (2026) | Shared hardcoded ASP.NET machine key in standardized web.config; ViewState deserialization (CVE-2026-5426) | Godzilla (BlueBeam) in-memory web shell; Cobalt Strike beacon backdoor; fake plugin installer served to users |
| Gladinet CentreStack (March 2025) | Hardcoded machine key abused to craft signed malicious ViewState payloads | Unauthorized access to secure file-sharing servers |
| Microsoft SharePoint (July 2025) | Stolen machine key used to create signed malicious ViewState payloads | 85 SharePoint servers compromised |
| Sitecore CMS (2025) | Exposed ASP.NET machine key exploited via ViewState deserialization | WeepSteel reconnaissance tool deployed by state-sponsored actors |
KnowledgeDeliver Zero-Day Exploit Installs Web Shells
Notably, the shared hardcoded machine key lets attackers create malicious ViewState payloads. Consequently, they gain remote code execution. Moreover, people may download fake installers. Specifically, the Godzilla web shell gives backdoor access. Therefore, everyone must check their machine key configurations. Additionally, they need immediate vendor patches.
Hardcoded Keys Enable Widespread Attacks
This indicates a critical zero-day flaw was exploited. Therefore, the root cause was the use of identical, hardcoded machine keys. Similarly, this allowed attackers to deploy a Godzilla web shell. Moreover, the vulnerability enabled unauthenticated remote code execution. In contrast, such shared keys create massive supply-chain risks. Consequently, all pre-patch systems were vulnerable. Thus, the attack served as a gateway for further malware. Hence, vendors must avoid universal, static credentials. Accordingly, regular patching and unique configurations are essential. As a result, a single flaw can compromise many organizations.
“KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.”
Ultimately, the zero-day attack on KnowledgeDeliver highlights a critical flaw in using shared cryptographic keys. Therefore, hardcoded machine keys allowed unauthenticated remote code execution. Consequently, threat actors installed web shells and deployed malware.
In summary, this incident underscores the need for unique security configurations in software. Thus, vendors must avoid default keys and ensure regular key rotation. Accordingly, proactive measures are vital to protect against future exploits.
