Takahiro Sugiyama

**Name of the Vulnerable Software and Affected Versions** Digital Knowledge KnowledgeDeliver versions prior to February 24, 2026 **Description** Hard-coded ASP.NET/IIS machineKey values in standardized web.config files allow unauthenticated remote code execution. Attackers can use these shared keys to craft malicious payloads and circumvent ViewState validation mechanisms via deserialization attacks, specifically targeting the ` VIEWSTATE` parameter in HTTP requests. ViewState is a mechanism used by ASP.NET to preserve page state between requests. Real-world incidents involved the deployment of the BLUEBEAM (Godzilla) in-memory web shell, which operates within the IIS worker process to evade detection. Attackers further escalated privileges and moved laterally by injecting malicious JavaScript into application files to trick users into installing fake security plugins, which subsequently delivered Cobalt Strike beacons. Some payloads were specifically encrypted using the victim organization's name, indicating targeted attacks. **Recommendations** For versions prior to February 24, 2026, update the software to the latest patched version. Rotate machine keys immediately to ensure each deployment uses a unique, secure key. Restrict access to the LMS to known and trusted IP ranges. Implement runtime segmentation to limit potential lateral movement within the network.