Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Target KnowledgeDeliver Zero-Day Vulnerability

Hackers Target KnowledgeDeliver Zero-Day Vulnerability

Posted on May 26, 2026 By CWS

In a recent cybersecurity development, threat actors have taken advantage of a zero-day vulnerability within the KnowledgeDeliver platform to deploy web shells and backdoors, as reported by Mandiant, a Google-owned cybersecurity firm.

KnowledgeDeliver, developed by Digital Knowledge, is a learning management system frequently utilized in Japanese corporate and educational settings. The vulnerability, identified as CVE-2026-5426, carries a CVSS score of 7.5 and stems from the use of a standardized ‘web.config’ file with hardcoded ‘machineKey’ values in these deployments.

Understanding the Exploited Vulnerability

The core issue lies in the hardcoded ‘machineKey’ values used by the ASP.NET framework for encrypting and signing data. Such values across different installations have permitted attackers to compromise systems by executing ViewState deserialization attacks.

Mandiant explains that ASP.NET’s ViewState feature maintains page state across postbacks. When attackers know the ‘machineKey,’ they can craft malicious ViewState payloads, which, when sent via HTTP requests, prompt servers to deserialize them, leading to potential system compromise.

Consequences of the Zero-Day Exploit

This attack vector is not entirely new, having been observed in other platforms like Sitecore and CentreStack. However, in this instance, it resulted in the use of Godzilla web shells, also known as Bluebeam. These shells, injected directly into memory, enable attackers to execute further commands and payloads on compromised machines.

The attackers utilized Godzilla to alter access permissions within the web application directory and modify JavaScript files to load harmful scripts. This included displaying fake security alerts to users, prompting them to install deceptive plugins.

Recommendations and Future Measures

Ultimately, the systems were compromised with a Cobalt Strike backdoor, encrypted with a key unique to the targeted organization, indicating a tailored attack strategy. Mandiant has issued indicators of compromise (IoCs) to assist organizations in identifying potential intrusions.

To mitigate these risks, Mandiant advises organizations to rotate their machine keys regularly and limit access to their LMS. It’s crucial for all KnowledgeDeliver deployments prior to February 24, 2026, to be aware of their vulnerability and take appropriate protective measures.

This incident underscores the ongoing challenges enterprises face in cybersecurity, emphasizing the need for vigilance and proactive security strategies to safeguard against evolving threats.

Security Week News Tags:ASP.NET, Cobalt Strike, Cybersecurity, Godzilla, KnowledgeDeliver, LMS security, Mandiant, ViewState, web shells, zero-day

Post navigation

Previous Post: NightSpire Ransomware Exploits RDP for Covert Operations
Next Post: Ghost CMS Vulnerability Exploited in Widespread Malware Attack

Related Posts

Hundreds Targeted in New Atomic macOS Stealer Campaign Hundreds Targeted in New Atomic macOS Stealer Campaign Security Week News
240,000 Impacted by Data Breach at Eyecare Tech Firm Ocuco 240,000 Impacted by Data Breach at Eyecare Tech Firm Ocuco Security Week News
Stryker Hit by Major Cyberattack Linked to Iran Stryker Hit by Major Cyberattack Linked to Iran Security Week News
Google Discloses Data Breach via Salesforce Hack  Google Discloses Data Breach via Salesforce Hack  Security Week News
SonicWall SSL VPN Accounts in Attacker Crosshairs SonicWall SSL VPN Accounts in Attacker Crosshairs Security Week News
European Commission Probes Cyberattack on IT Systems European Commission Probes Cyberattack on IT Systems Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool
  • Critical U-Boot Vulnerabilities Discovered in Firmware Security
  • Critical Security Alert for ShareFile Admins: Server Shutdown Advised

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool
  • Critical U-Boot Vulnerabilities Discovered in Firmware Security
  • Critical Security Alert for ShareFile Admins: Server Shutdown Advised

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark