Threat actors exploited a KnowledgeDeliver zero-day vulnerability to deploy web shells and backdoors. The learning management system is widely used for enterprise and educational e-learning, mainly in Japan. The vulnerability, tracked as CVE-2026-5426 with a CVSS score of 7.5, existed because deployments used a standardized web.config file containing hardcoded ASP.NET machineKey values. Those values enabled attackers to craft malicious ViewState payloads and trigger server deserialization through HTTP requests. The exploitation resulted in Godzilla web shells deployed in memory, allowing command execution and further payload delivery. Attackers then changed web application directory permissions and modified a JavaScript file to load a malicious script that displayed a fake security alert to prompt a user to install a fake plugin. Infected systems ultimately received a Cobalt Strike backdoor.
"The exploited zero-day, tracked as CVE-2026-5426 (CVSS score of 7.5), existed because Digital Knowledge deployments used a standardized 'web. config' file that contained hardcoded 'machineKey' values. These keys are used by the ASP.NET framework for data encryption and signing. The presence of the hardcoded values across independent installations allowed threat actors with knowledge of the keys to compromise other deployments by mounting ViewState deserialization attacks."
""The ASP.NET ViewState persists page state across postbacks. When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request, the threat actor can make the server deserialize it," Mandiant explains."
"The KnowledgeDeliver zero-day exploitation, Mandiant says, also led to the deployment of Godzilla web shells (also known as Bluebeam). Deployed in memory, the malware allows threat actors to execute additional commands and payloads on the infected machines. The attackers used Godzilla to modify access permissions to the web application directory and to modify an application JavaScript file to load a malicious script and to display a fake security alert asking the user to install a fake plugin."
"Ultimately, the systems were infected with a Cobalt Strike backdoor. Because the payload was encrypted with a key containing the victim organization's name, Mandiant believes that the backdoor was prepared specificall"
#zero-day-exploitation #aspnet-viewstate-deserialization #web-shells #godzillabluebeam-malware #cobalt-strike-backdoor
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]