In a recent cybersecurity development, threat actors have taken advantage of a zero-day vulnerability within the KnowledgeDeliver platform to deploy web shells and backdoors, as reported by Mandiant, a Google-owned cybersecurity firm.
KnowledgeDeliver, developed by Digital Knowledge, is a learning management system frequently utilized in Japanese corporate and educational settings. The vulnerability, identified as CVE-2026-5426, carries a CVSS score of 7.5 and stems from the use of a standardized ‘web.config’ file with hardcoded ‘machineKey’ values in these deployments.
Understanding the Exploited Vulnerability
The core issue lies in the hardcoded ‘machineKey’ values used by the ASP.NET framework for encrypting and signing data. Such values across different installations have permitted attackers to compromise systems by executing ViewState deserialization attacks.
Mandiant explains that ASP.NET’s ViewState feature maintains page state across postbacks. When attackers know the ‘machineKey,’ they can craft malicious ViewState payloads, which, when sent via HTTP requests, prompt servers to deserialize them, leading to potential system compromise.
Consequences of the Zero-Day Exploit
This attack vector is not entirely new, having been observed in other platforms like Sitecore and CentreStack. However, in this instance, it resulted in the use of Godzilla web shells, also known as Bluebeam. These shells, injected directly into memory, enable attackers to execute further commands and payloads on compromised machines.
The attackers utilized Godzilla to alter access permissions within the web application directory and modify JavaScript files to load harmful scripts. This included displaying fake security alerts to users, prompting them to install deceptive plugins.
Recommendations and Future Measures
Ultimately, the systems were compromised with a Cobalt Strike backdoor, encrypted with a key unique to the targeted organization, indicating a tailored attack strategy. Mandiant has issued indicators of compromise (IoCs) to assist organizations in identifying potential intrusions.
To mitigate these risks, Mandiant advises organizations to rotate their machine keys regularly and limit access to their LMS. It’s crucial for all KnowledgeDeliver deployments prior to February 24, 2026, to be aware of their vulnerability and take appropriate protective measures.
This incident underscores the ongoing challenges enterprises face in cybersecurity, emphasizing the need for vigilance and proactive security strategies to safeguard against evolving threats.
