KnowledgeDeliver flaw exploited as a zero-day to install web shells
3 min read
For example, attackers used this key to create malicious commands. As a result, they deployed the Godzilla web shell to control the servers. Furthermore, this shell helped them trick users into downloading dangerous software.
Indeed, this type of attack is a common threat. In particular, hackers have exploited similar ViewState deserialization flaws in other products. Crucially, vendors must avoid using shared secrets in their software.
| Aspect | KnowledgeDeliver Incident (2026) | Comparable ViewState Deserialization Attacks |
|---|---|---|
| Vulnerability Type | ViewState deserialization flaw (CVE-2026-5426) caused by hardcoded, shared ASP.NET machineKey across all customer deployments. No authentication required to exploit. | Hardcoded or exposed ASP.NET machine keys enabling signed malicious ViewState payloads — a recurring pattern across multiple platforms and vendors. |
| Initial Access Vector | Threat actors obtained the pre-shared machineKey from standardized web.config files shipped by the vendor before Feb 24, 2026, then crafted signed ViewState payloads for remote code execution. | Gladinet CentreStack (March 2025) and 85 Microsoft SharePoint servers (July 2025) were similarly compromised via stolen or hardcoded machine keys allowing malicious ViewState signing. |
| Payload Deployed | Godzilla (.NET-based in-memory web shell, a.k.a. BlueBeam) injected into the web platform; users were tricked into downloading a fake installer that delivered a Cobalt Strike beacon as a persistent backdoor. Payloads were organization-specific (encrypted with victim’s name). | Godzilla was also used in ViewState deserialization attacks against ASP.NET environments in the financial sector (ASEC, Aug 2024) and in attacks observed by Microsoft (late 2024). State actors deployed WeepSteel reconnaissance tool on Sitecore servers via the same technique. |
| Post-Exploitation Actions | Attackers escalated control over the web server’s file system, modified application JavaScript to prompt users to install a fake “security authentication plugin,” and loaded additional malicious scripts from attacker-controlled domains. | Post-exploitation in similar incidents typically involves reconnaissance, lateral movement, and persistence — e.g., WeepSteel for recon on Sitecore, file-system manipulation on SharePoint and Gladinet instances. |
| Root Cause & Remediation | Vendor used identical pre-shared machine keys in default configurations for all customers. Fix involved unique key generation per deployment starting Feb 24, 2026. Mandiant discovered the zero-day in late 2025. | A systemic industry issue: improper machine key management across ASP.NET platforms. Best practice mandates unique, randomly generated machine keys per installation — yet many vendors and admins continue to ship or use defaults. |
KnowledgeDeliver Flaw as Zero-Day
Notably, a critical zero-day flaw in KnowledgeDeliver allowed hackers to exploit a deserialization issue without authentication. Specifically, the vendor used a shared hardcoded machine key across all customer deployments. Consequently, attackers signed malicious payloads and achieved remote code execution at the system level. Moreover, they deployed a web shell to gain persistent access. As a result, everyone using this LMS faced serious risk. Therefore, people must update and use unique keys.
Security implications of hardcoded keys
This indicates that shared hardcoded machine keys in KnowledgeDeliver’s LMS created a critical security gap. Therefore, attackers exploited CVE-2026-5426 without authentication to deploy web shells. Similarly, this mirrors past ViewState deserialization attacks on SharePoint and Sitecore servers. Consequently, organizations must ensure unique cryptographic keys across all deployments to protect everyone.
“KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.”
Ultimately, the KnowledgeDeliver zero-day allowed attackers to install web shells. As a result, sensitive systems were compromised. Therefore, all administrators must immediately update their systems. Finally, this reminds everyone to use unique security keys.
Ultimately, threat actors exploited a critical vulnerability in KnowledgeDeliver’s system, installing web shells to gain control. Therefore, the use of identical pre-shared keys across all deployments made this attack possible. Thus, a single vendor error created widespread risk.
In summary, all vendors must avoid hardcoded credentials and enforce unique security configurations. Consequently, this incident shows how a single flaw can impact many organizations. Accordingly, proactive security reviews and timely patching are essential for everyone.
