KnowledgeDeliver zero-day enables web shell installs
π‘οΈ Mandiant found attackers exploited a critical unauthenticated deserialization flaw (CVE-2026-5426) in KnowledgeDeliver LMS to deliver the Godzilla web shell. The issue stemmed from a shared hardcoded ASP.NET machineKey across customer deployments, allowing signed malicious ViewState payloads and remote code execution. Compromised installations were used to push fake installers, deploy Cobalt Strike beacons, and modify site scripts to load attacker-controlled payloads.
