A now-patched high-severity security flaw affecting Digital Information KnowledgeDeliver, a Studying Administration System (LMS) standard in Japan, was exploited as a zero-day to ship the Godzilla net shell and in the end facilitate the deployment of Cobalt Strike Beacon.
The vulnerability, tracked as CVE-2026-5426 (CVSS rating: 7.5), stems from using hard-coded ASP.NET machine keys, resulting in unauthenticated distant code execution through a ViewState deserialization assault. The abuse of publicly disclosed ASP.NET machine keys by risk actors was first documented by Microsoft in February 2025.
“An unknown risk actor leveraged this entry to inject malicious code into the LMS platform, with the objective of infecting customers visiting the positioning,” Google Mandiant and Google Risk Intelligence Group (GTIG) mentioned.
The security flaw impacted Digital Information KnowledgeDeliver deployments previous to February 24, 2026. It is price noting that comparable vulnerabilities in Sitecore Expertise Supervisor (XM) and Gladinet CentreStack and TrioFox have additionally been exploited by risk actors.
The issue is rooted in the truth that KnowledgeDeliver installations relied on a standardized net.config file supplied by the seller that contained hard-coded machineKey values utilized by the ASP.NET framework to encrypt and signal information, together with ViewState payloads.
Because of this, a risk actor who manages to acquire the keys from one deployment might leverage them to compromise different internet-facing KnowledgeDeliver situations.
“The ASP.NET ViewState persists web page state throughout postbacks,” Google mentioned. “When the machineKey is thought, a risk actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (through the __VIEWSTATE parameter), the risk actor could make the server deserialize it.”
Within the exercise noticed in reference to CVE-2026-5426, attackers have been discovered to deploy the Godzilla (aka BLUEBEAM) net shell, granting them the power to run instructions or drop extra payloads.
Among the many instructions executed have been directions to escalate their management over the online server’s file system by granting “Everybody” full entry to the online software listing. Subsequently, the risk actor tampered with an software JavaScript file to incorporate code that displayed a faux security alert, urging customers to put in a “security authentication plugin.”
In tandem, the unauthorized modifications made it potential to stealthily load a malicious script hosted on an attacker-controlled area. The script, in flip, satisfied customers to obtain a faux installer, in the end infecting the machines with Cobalt Strike Beacon.
“The payload was encrypted utilizing a key that used the title of the compromised group, which indicated that the risk actor ready this payload particularly for the focused group,” Google mentioned.
“The exploitation of KnowledgeDeliver highlights the extreme dangers of utilizing shared secrets and techniques in deployment templates. A single leaked key can compromise a complete ecosystem of installations. By implementing distinctive secrets and techniques and strong endpoint monitoring, organizations can defend in opposition to these deserialization assaults.”
