The CVE-2026-5426 vulnerability (CVSS 7.5) in the Digital Knowledge KnowledgeDeliver learning management system, widely used in Japan, was exploited as a zero-day to deploy the Godzilla web shell and subsequently deliver Cobalt Strike Beacon to end users of the platform. The vulnerability is related to hard-coded ASP.NET keys in the application configuration and allows arbitrary code execution without authentication. All KnowledgeDeliver deployments prior to 24 February 2026 are affected. Organizations using this LMS must immediately update the system and audit their infrastructure for signs of compromise.
Technical nature of the vulnerability
The root cause lies in a design decision by the vendor: KnowledgeDeliver installations were shipped with a standardized web.config file containing hard-coded machineKey values. These keys are used by the ASP.NET framework to encrypt and sign data, including the ViewState parameter — a mechanism for preserving page state between HTTP requests.
Since all KnowledgeDeliver deployments used the same keys, an attacker who obtained the keys from any single installation could compromise all other instances of the system exposed to the internet. The attack is carried out by sending a specially crafted ViewState payload in the __VIEWSTATE parameter of an HTTP request — the server deserializes it and executes the embedded code.
As noted by Google Mandiant and the Google Threat Intelligence Group (GTIG), abuse of publicly disclosed ASP.NET keys was first documented by Microsoft in February 2025. Similar vulnerabilities related to hard-coded keys and ViewState deserialization had previously been exploited in Sitecore Experience Manager (XM), as well as Gladinet CentreStack and TrioFox.
Attack chain: from web shell to user infection
The observed campaign demonstrates a multi-stage approach targeting not only the server, but also end users of the LMS platform:
Stage 1 — initial access. An unknown attacker exploited CVE-2026-5426 to deploy the Godzilla web shell (also known as BLUEBEAM). This tool gave the attacker the ability to execute arbitrary commands on the server and upload additional payloads.
Stage 2 — escalation of control. Through the web shell, commands were executed that granted the “Everyone” group full access to the web application directory. This gave the attacker unrestricted control over the server’s file system.
Stage 3 — client-side compromise. The attacker modified an application JavaScript file, injecting code that displayed a fake security warning. Users were prompted to install a “security authentication plugin.” At the same time, a malicious script was loaded from a domain controlled by the attacker.
Stage 4 — delivery of Cobalt Strike. The script persuaded users to download a fake installer that infected their machines with a Cobalt Strike Beacon. According to Google, the payload was encrypted with a key containing the name of the compromised organization, indicating that the attack had been tailored to a specific victim.
Impact assessment and threat scale
The fundamental danger of CVE-2026-5426 lies in the systemic nature of the vulnerability: a single set of keys distributed by the vendor turns the compromise of one installation into a threat to the entire ecosystem of deployments. This is not a point defect in the code — it is an architectural flaw in the distribution model.
Those at greatest risk are:
- Educational institutions and corporate training centers in Japan using KnowledgeDeliver as their primary LMS platform
- End users of compromised platforms who may have downloaded the malicious “plugin” and received a Cobalt Strike Beacon
- Corporate networks into which Cobalt Strike Beacon could enable further attacker movement
Notably, at the time of publication, CVE-2026-5426 had not been added to the CISA Known Exploited Vulnerabilities catalog, despite confirmed use in real-world attacks.
Response recommendations
For organizations using KnowledgeDeliver:
- Immediately update KnowledgeDeliver to a version released after 24 February 2026, in which the vulnerability has been fixed
- Replace the machineKey values in the
web.configfile with unique, cryptographically strong keys for each deployment. Ensure the keys do not match the default values from the vendor’s template - Audit the web server file system: check for unknown files (especially ASPX web shell files), changes in application JavaScript files, and abnormal directory permissions
- Review logs for suspicious POST requests with non-standard values in the
__VIEWSTATEparameter - Assess endpoint compromise: if users of the LMS platform may have interacted with the fake warning, check their workstations for the presence of Cobalt Strike Beacon
For developers and vendors of ASP.NET applications, this incident is a direct indication of the need to generate unique cryptographic keys for every deployment. Embedding secret values into configuration templates creates a systemic vulnerability that can scale across the entire customer base of a product.
Organizations operating KnowledgeDeliver should treat any deployment with unchanged default keys as potentially compromised and act accordingly: update the system, replace the keys, verify the integrity of application files, and hunt for indicators of Godzilla and Cobalt Strike presence within the infrastructure.
