Cybersecurity researchers say they’ve found that a high-severity weakness in Digital Knowledge’s KnowledgeDeliver LMS platform was being used in the wild, kind of like it was a zero-day thing, to push out the Godzilla web shell and later drop the Cobalt Strike Beacon malware.
The problem is listed as CVE-2026-5426, and the root cause came from hard-coded ASP.NET machine keys that were sitting inside the deployment setups. Those machine keys are the ones ASP.NET relies on to encrypt plus validate ViewState, so if they end up exposed, attackers can then misuse them to run hostile code remotely, even if the attacker does not have authentication.
Researchers also mention the flaw in KnowledgeDeliver setups that were in place before February 24, 2026. Since several deployments supposedly used the same shared machine keys, once those keys became known, attackers might be able to breach a bunch of internet-facing systems, not just one, and do it in short order.
The whole attack chain kind of started with a ViewState deserialization exploit, where attackers put together nasty payloads and then delivered them via HTTP requests. After it worked, the attackers went ahead and rolled out the Godzilla web shell, which basically gave them remote control of the server that got compromised.
Once they had access, it’s reported that they changed some application files and then tucked in malicious JavaScript directly into the LMS platform. People who visited the affected site were greeted with fake security warnings, telling them to go ahead and install a so-called “security authentication plugin”, as if it were totally normal.
But in reality, that supposed installer ended up dropping a Cobalt Strike Beacon instead, a pretty well-known post-exploitation tool that lots of threat actors lean on for keeping foothold persistence, moving laterally, and running remote commands once they’re inside the environment.
Researchers also noticed that some payloads were tweaked with organization-specific encryption keys, which kind of hints that the attackers had in mind specific victims, not just some generic mass campaign. Like, they weren’t really winging it… more like they prepped a tailored deployment.
This incident really puts the spotlight on the risks of shared secrets and those insecure default settings that show up in enterprise software rollouts. If even one encryption key leaks, it can end up opening the door for compromise across an entire installation ecosystem, not just a small slice of machines.
Security experts suggest rotating machine keys and updating vulnerable systems right away. They also recommend watching for odd ViewState activity, checking application integrity, and putting in place stronger endpoint monitoring, so you can catch post-exploitation tooling like Cobalt Strike before it runs too far.
And companies such as IntelligenceX keep stressing secure configuration management, faster vulnerability patching, plus proactive monitoring, because attackers increasingly go after enterprise platforms and web applications using more advanced exploitation methods, day after day.
Top comments (0)