Mandiant reported that attackers exploited CVE-2026-5426 in KnowledgeDeliver LMS servers as a zero-day to deploy the Godzilla web shell and gain remote code execution through ViewState deserialization. The intrusion relied on reused ASP.NET machine keys, led to fake software installation prompts and Cobalt Strike infection, and was tailored to the targeted organization. #CVE-2026-5426 #KnowledgeDeliver #Godzilla #CobaltStrike #Mandiant #ViewState
Keypoints
- CVE-2026-5426 is a critical unauthenticated deserialization flaw in KnowledgeDeliver LMS.
- Attackers abused hardcoded ASP.NET machine keys to sign malicious ViewState payloads.
- The zero-day was used to inject malicious code and achieve OS-level remote code execution.
- Mandiant found the Godzilla web shell deployed on compromised KnowledgeDeliver servers.
- The intrusion also installed Cobalt Strike and modified JavaScript to lure users into fake plugin installs.