KnowledgeDeliver flaw exploited as a zero-day to install web shells
KnowledgeDeliver flaw exploited as a zero-day to install web shells
Publish Date: 2026-05-26 16:07:31
Source Domain: www.bleepingcomputer.com
Hackers exploited a critical zero-day vulnerability in KnowledgeDeliver’s learning management system (LMS) to deploy the Godzilla web shell. This vulnerability, identified as CVE-2026-5426, stemmed from the use of a shared hardcoded machine key across all KnowledgeDeliver deployments, allowing remote code execution without authentication. Threat actors gained access to the machine key and exploited ViewState deserialization, deploying a malicious script into the web platform. The script tricked users into downloading a fake installer, leading to the installation of a Cobalt Strike beacon—a backdoor. The Godzilla web shell was then deployed, enabling the attacker to escalate control over the server’s file system and push further malicious scripts disguised as legitimate software. This exploit mirrors similar attacks targeting ASP.NET environments in the financial sector.
Key Points:
– Vulnerability – The generated text has been blocked by our content filters.
