Threat actors exploited a zero-day vulnerability (CVE-2026-5426) in KnowledgeDeliver, a widely used LMS, by leveraging hardcoded machineKey values in its ASP.NET configuration to mount ViewState deserialization attacks and deploy Godzilla web shells. The attackers used the web shells to modify system permissions, inject malicious scripts, and ultimately install a targeted Cobalt Strike backdoor, as reported by Mandiant. All KnowledgeDeliver deployments prior to February 24, 2026 are potentially at risk, and organisations are advised to rotate machine keys, restrict LMS access, and monitor for signs of intrusion.
