CVE-2026-5426

Name of the Vulnerable Software and Affected Versions Digital Knowledge KnowledgeDeliver versions prior to February 24, 2026

Description A critical security flaw exists in the KnowledgeDeliver Learning Management System (LMS) due to the use of hard-coded ASP.NET machineKey values within a standardized web.config file. This shared secret allows unauthenticated adversaries to bypass ViewState validation mechanisms by crafting a malicious payload and sending it via the VIEWSTATE parameter in an HTTP request. Upon server-side deserialization, this leads to remote code execution (RCE).

Real-world exploitation has been observed, particularly affecting systems in Japan. Attackers utilized this flaw to deploy the Godzilla (also known as BLUEBEAM) in-memory web shell, which operates within the IIS worker process to evade detection. Following the initial compromise, threat actors escalated privileges, moved laterally through the network, and modified application JavaScript files to trick users into installing counterfeit security plugins. These plugins were used to deliver Cobalt Strike beacons to workstations, with some payloads specifically encrypted using the target organization's name.

Recommendations Update KnowledgeDeliver to a version released after February 24, 2026. Change the machineKey values to unique, secure secrets for all instances. Restrict access to the LMS to minimize the risk of exploitation. Implement runtime segmentation to limit potential lateral movement within the network.