Full Report
Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell. [...]
Analysis Summary
# Vulnerability: KnowledgeDeliver LMS ViewState Deserialization
## CVE Details
- **CVE ID:** CVE-2026-5426
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data) / CWE-798 (Use of Hardcoded Credentials)
## Affected Systems
- **Products:** KnowledgeDeliver Learning Management System (LMS)
- **Versions:** All installations deployed before February 24, 2026.
- **Configurations:** Systems relying on the vendor-provided standardized `web.config` file.
## Vulnerability Description
The vulnerability exists due to the use of identical, hardcoded ASP.NET `machineKey` values across multiple customer deployments. The `machineKey` is used by the ASP.NET framework to encrypt and sign data, specifically the ViewState. Because the keys are static and shared, an unauthenticated attacker can pre-calculate and sign a malicious ViewState payload. When the server deserializes this tampered ViewState, it leads to Remote Code Execution (RCE) at the operating system level.
## Exploitation
- **Status:** Exploited in the wild as a zero-day.
- **Complexity:** Low (Key is static/publicly known).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full access to server data and files).
- **Integrity:** High (Attackers modified JavaScript files and deployed malware).
- **Availability:** High (Potential for full system takeover or disruption).
## Remediation
### Patches
- KnowledgeDeliver deployments updated or installed **after February 24, 2026**, include unique configuration files that address this issue.
- Users should contact the vendor to ensure their `web.config` has been updated with unique, cryptographically strong `machineKey` values.
### Workarounds
- Manually rotate/generate unique `machineKey` values in the ASP.NET `web.config` file.
- Implement IP-based access controls to the LMS portal while remediation is underway.
## Detection
- **Indicators of Compromise:**
- Presence of the **Godzilla (BlueBeam)** web shell in memory or on the file system.
- Modification of application JavaScript files (e.g., scripts prompting for "security authentication plugin" downloads).
- Outbound connections to unauthorized domains for Cobalt Strike beaconing.
- **Detection Methods:**
- Audit `web.config` files for standardized or publicly known `machineKey` values.
- Monitor web server logs for large or unusual ViewState parameters in POST requests.
- Use EDR/AV to scan for standard web shell patterns (Godzilla/BlueBeam).
## References
- [Mandiant Vulnerability Disclosure: MNDT-2026-0009] - hxxps[://]github[.]com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009[.]md
- [Mandiant Threat Intelligence Report] - hxxps[://]cloud[.]google[.]com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability
- [Microsoft Security Blog: ASP.NET Machine Key Attacks] - hxxps[://]www[.]microsoft[.]com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/