Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Target KnowledgeDeliver Zero-Day Vulnerability

Hackers Target KnowledgeDeliver Zero-Day Vulnerability

Posted on May 26, 2026 By CWS

In a recent cybersecurity development, threat actors have taken advantage of a zero-day vulnerability within the KnowledgeDeliver platform to deploy web shells and backdoors, as reported by Mandiant, a Google-owned cybersecurity firm.

KnowledgeDeliver, developed by Digital Knowledge, is a learning management system frequently utilized in Japanese corporate and educational settings. The vulnerability, identified as CVE-2026-5426, carries a CVSS score of 7.5 and stems from the use of a standardized ‘web.config’ file with hardcoded ‘machineKey’ values in these deployments.

Understanding the Exploited Vulnerability

The core issue lies in the hardcoded ‘machineKey’ values used by the ASP.NET framework for encrypting and signing data. Such values across different installations have permitted attackers to compromise systems by executing ViewState deserialization attacks.

Mandiant explains that ASP.NET’s ViewState feature maintains page state across postbacks. When attackers know the ‘machineKey,’ they can craft malicious ViewState payloads, which, when sent via HTTP requests, prompt servers to deserialize them, leading to potential system compromise.

Consequences of the Zero-Day Exploit

This attack vector is not entirely new, having been observed in other platforms like Sitecore and CentreStack. However, in this instance, it resulted in the use of Godzilla web shells, also known as Bluebeam. These shells, injected directly into memory, enable attackers to execute further commands and payloads on compromised machines.

The attackers utilized Godzilla to alter access permissions within the web application directory and modify JavaScript files to load harmful scripts. This included displaying fake security alerts to users, prompting them to install deceptive plugins.

Recommendations and Future Measures

Ultimately, the systems were compromised with a Cobalt Strike backdoor, encrypted with a key unique to the targeted organization, indicating a tailored attack strategy. Mandiant has issued indicators of compromise (IoCs) to assist organizations in identifying potential intrusions.

To mitigate these risks, Mandiant advises organizations to rotate their machine keys regularly and limit access to their LMS. It’s crucial for all KnowledgeDeliver deployments prior to February 24, 2026, to be aware of their vulnerability and take appropriate protective measures.

This incident underscores the ongoing challenges enterprises face in cybersecurity, emphasizing the need for vigilance and proactive security strategies to safeguard against evolving threats.

Security Week News Tags:ASP.NET, Cobalt Strike, Cybersecurity, Godzilla, KnowledgeDeliver, LMS security, Mandiant, ViewState, web shells, zero-day

Post navigation

Previous Post: NightSpire Ransomware Exploits RDP for Covert Operations
Next Post: Ghost CMS Vulnerability Exploited in Widespread Malware Attack

Related Posts

Google DeepMind’s New AI Agent Finds and Fixes Vulnerabilities  Google DeepMind’s New AI Agent Finds and Fixes Vulnerabilities  Security Week News
Progress Releases Vital Patches for MOVEit and LoadMaster Progress Releases Vital Patches for MOVEit and LoadMaster Security Week News
CISA Faces Challenges Amid DHS Shutdown CISA Faces Challenges Amid DHS Shutdown Security Week News
Critical Vulnerability Patched in SAP NetWeaver Critical Vulnerability Patched in SAP NetWeaver Security Week News
VS Code Flaws in GitHub Codespaces Risk Supply Chain Attacks VS Code Flaws in GitHub Codespaces Risk Supply Chain Attacks Security Week News
Unlock Cybersecurity Insights: On-Demand Summit Access Unlock Cybersecurity Insights: On-Demand Summit Access Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • WhatsApp Exploit Turns OpenClaw into Hacker Tool
  • Critical U-Boot Vulnerabilities Discovered in Firmware Security
  • Critical Security Alert for ShareFile Admins: Server Shutdown Advised
  • ShareFile Users Advised to Shut Down Controllers Amid Security Alert
  • New Windows Attack Method Evades Leading Security Tools

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • WhatsApp Exploit Turns OpenClaw into Hacker Tool
  • Critical U-Boot Vulnerabilities Discovered in Firmware Security
  • Critical Security Alert for ShareFile Admins: Server Shutdown Advised
  • ShareFile Users Advised to Shut Down Controllers Amid Security Alert
  • New Windows Attack Method Evades Leading Security Tools

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark