A high-severity flaw in Digital Knowledge KnowledgeDeliver was exploited as a zero-day to deliver a Godzilla web shell and enable Cobalt Strike Beacon deployment. The vulnerability, CVE-2026-5426 with a CVSS score of 7.5, enables unauthenticated remote code execution through an ASP.NET ViewState deserialization attack. The root cause is hard-coded ASP.NET machineKey values in a vendor-provided web.config, which are used to encrypt and sign data, including ViewState payloads. If an attacker obtains the machine keys from one deployment, the same keys can be used to compromise other internet-facing instances. Similar ViewState-related issues in other products have also been exploited. The observed activity included injecting malicious code to infect users visiting the site.
"An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site, Google Mandiant and Google Threat Intelligence Group (GTIG) said."
"The vulnerability, tracked as CVE-2026-5426 (CVSS score: 7.5), stems from the use of hard-coded ASP.NET machine keys, leading to unauthenticated remote code execution via a ViewState deserialization attack. The abuse of publicly disclosed ASP.NET machine keys by threat actors was first documented by Microsoft in February 2025."
"The problem is rooted in the fact that KnowledgeDeliver installations relied on a standardized web.config file provided by the vendor that contained hard-coded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads. As a result, a threat actor who manages to obtain the keys from one deployment could leverage them to compromise other internet-facing KnowledgeDeliver instances."
""The ASP.NET ViewState persists page state across postbacks," Google said. "When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can make the server deserialize it.""
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]