289/69 Thursday, May 28, 2026
There have been reports of threat actors exploiting a critical zero-day vulnerability, tracked as CVE-2026-5426, in KnowledgeDeliver, a Learning Management System (LMS) platform. The vulnerability allows unauthenticated attackers to remotely execute malicious commands on the operating system. This threat directly affects organizations using vulnerable installations of the platform prior to February 24, 2026. It is considered highly significant because successful exploitation could allow attackers to take control of network systems and deploy tools for data theft or cause damage at the organizational infrastructure level.
The vulnerability stems from the developer’s use of a fixed ASP.NET Machine Key in the configuration file, which was reused across multiple customer environments. Attackers can leverage this key together with ViewState deserialization techniques to execute malicious commands. According to Mandiant’s investigation, the attackers deployed an in-memory web shell known as Godzilla to gain further control over the web server. They then modified the application’s JavaScript files to trick users into downloading a fake installer disguised as a security plugin. In reality, the installer was a customized Cobalt Strike backdoor designed to target the affected organization specifically. Similar ViewState-based exploitation techniques have also been observed in other enterprise systems, such as Microsoft SharePoint and Sitecore, in recent years.
To reduce risk and prevent potential impact, administrators responsible for KnowledgeDeliver systems should immediately review their server configurations. In particular, they should generate and replace the ASP.NET Machine Key with a secure, unique value that is not reused across organizations. They should also closely monitor and apply security patches released by the product developer. In addition, organizations should strengthen network monitoring, inspect unauthorized changes to application files on web servers, and warn users to be cautious of any prompts on websites requesting the download or installation of additional plugins or software. These measures can help prevent users from becoming victims of malware deployment on their personal computers.