A now-patched flaw in Digital Knowledge’s KnowledgeDeliver learning management system was used as a zero-day to deliver the Godzilla web shell and later Cobalt Strike Beacon, according to a technical analysis by Google Mandiant and Google Threat Intelligence Group. The issue, tracked as CVE-2026-5426 with a CVSS score of 7.5, affected deployments before Feb. 24, 2026.
KEY FACTS
- Flaw Hard-coded ASP.NET machine keys allowed unauthenticated remote code execution through ViewState deserialization.
- Impact Attackers deployed the Godzilla web shell, then used it to support later payload delivery.
- Follow-on activity The compromise included file permission changes, web script tampering, and a fake security prompt.
- Targeting The payload was encrypted with a key using the name of the compromised organization.
KnowledgeDeliver installations used a standardized web.config file that contained hard-coded machineKey values. Those keys were used by ASP.NET to encrypt and sign data, including ViewState payloads, which meant one exposed set of keys could be reused against other internet-facing deployments.
When the machineKey is known, a threat actor can craft a malicious ViewState payload and send it in the __VIEWSTATE parameter. The server then deserializes the payload, which can lead to code execution.
In the activity tied to the flaw, attackers granted Everyone full access to the web application directory and modified an application JavaScript file to show a fake security alert that urged users to install a security authentication plugin. The altered page then loaded a malicious script from an attacker-controlled domain and pushed users toward a fake installer.
The report said the fake installer ultimately infected victim machines with Cobalt Strike Beacon. It also noted that similar problems in Sitecore Experience Manager and Gladinet CentreStack and TrioFox have been exploited by threat actors.
WHY IT MATTERS
The case shows how shared deployment secrets can turn a single exposed key into a wider risk across many installations. Using unique secrets and monitoring internet-facing endpoints can reduce the chance of the same type of deserialization attack.