KnowledgeDeliver CVE-2026-5426: Zero-Day RCE Used to Drop Godzilla Web Shell

by Emma Davis
May 26, 2026

KnowledgeDeliver CVE-2026-5426 was exploited as a zero-day through shared ASP.NET machine keys. Rotate keys, restrict exposure, and hunt IIS logs for ViewState abuse.

KnowledgeDeliver CVE-2026-5426 is now a practical incident-response issue for organizations running the Japanese LMS on internet-facing IIS servers. Mandiant says attackers abused shared ASP.NET machine keys in older KnowledgeDeliver deployments to craft malicious ViewState payloads, gain unauthenticated remote code execution, and deploy the Godzilla/BLUEBEAM in-memory web shell.[1]

Editorial cartoon showing unique LMS keys blocking KnowledgeDeliver ViewState exploitation
One copied key worked on too many doors; unique keys make the trick much less impressive.

The case matters because the vulnerable condition was not a normal “forgot to patch one box” bug. Mandiant found that KnowledgeDeliver installations deployed before February 24, 2026 could rely on a standardized web.config with identical machineKey values across customer environments.[1] If one key became known, any reachable instance using that same secret could accept attacker-signed ViewState data.

In the incident Mandiant investigated, the intrusion started in late 2025 as a zero-day compromise of a KnowledgeDeliver web server. After gaining code execution, the threat actor modified application files and added malicious JavaScript that pushed users toward a fake “security authentication plugin.” The fake installer then delivered a Cobalt Strike BEACON backdoor to visitor workstations, turning a trusted learning portal into a malware delivery path.[1]

The issue is tracked as CVE-2026-5426. Mandiant’s disclosure describes the impact as high: an unauthenticated attacker who has the pre-shared ASP.NET machine key can bypass ViewState validation and execute unauthorized code remotely. The impacted configuration is narrow but serious: KnowledgeDeliver is reachable by the attacker and the organization has not replaced the default shared machine key with a unique cryptographically strong value.[2]

For howtofix.guide readers, the useful takeaway is that this belongs in the same response bucket as other web-facing application compromises: patch status alone is not enough if secrets were reused or already exposed. We saw a similar operational lesson in the recent Ghost CMS ClickFix campaign, where compromised publishing systems became visitor-facing malware lures. The post-exploitation stage also overlaps with incidents that use commodity frameworks such as Cobalt Strike, as seen in our earlier SonicWall VPN exploitation coverage.

What administrators should check now

Administrators should first confirm whether any KnowledgeDeliver instance was deployed before February 24, 2026 and whether its ASP.NET machineKey values are unique. Mandiant’s primary remediation is direct: generate a new, unique, cryptographically strong machine key for each instance. That is the step that invalidates the shared secret. Where possible, restrict access to the LMS to known organizational IP ranges while the investigation is underway.[1]

Do not stop at key rotation. Review Windows Application logs for ASP.NET Event ID 1316 with ViewState integrity or invalid-ViewState messages, especially around public-facing login, lesson, file, and administration paths. A failed integrity check can indicate probing with the wrong key; an invalid ViewState message after validation may indicate that deserialization was attempted. Mandiant also recommends watching for suspicious child processes from w3wp.exe, including cmd.exe, whoami, and powershell.exe.[1]

File integrity checks matter as well. Look for unexpected changes to .js, .aspx, and .config files under the web root. In the observed attack, the actor used icacls to loosen permissions and then altered JavaScript so users would see a fake security prompt. This is the part that can continue hurting visitors even after the server-side weakness is corrected.

Mandiant lists one public hash for the BLUEBEAM/Godzilla component: 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2 for LoadLibrary.dll.[1] Treat a hit as a confirmed compromise signal, but do not treat a clean hash search as proof of safety; in-memory web shells and tailored payloads often leave little traditional file evidence. If you find ViewState anomalies, suspicious w3wp.exe process trees, or modified web assets, isolate the server, preserve logs, rotate secrets, and inspect downstream endpoints that visited the tampered LMS pages.

The broader pattern is not limited to this one LMS. Public web apps that accept signed state, cookies, or serialized data are high-value targets when signing keys are reused or leaked. That is why teams should keep an inventory of externally reachable IIS applications and review key-management assumptions, not only CVE lists. Similar web-facing exploit windows have driven urgent response for other enterprise platforms, including our recent Microsoft Exchange OWA exploitation report.

References

  1. Mandiant / Google Cloud, “Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability,” May 25, 2026. cloud.google.com
  2. Mandiant Vulnerability Disclosures, “MNDT-2026-0009,” CVE-2026-5426 advisory. github.com
  3. BleepingComputer, “KnowledgeDeliver flaw exploited as a zero-day to install web shells,” May 26, 2026. bleepingcomputer.com

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment