Security researchers uncovered a critical KnowledgeDeliver flaw that attackers exploited as a zero-day vulnerability to compromise servers and deploy malicious web shells.
The vulnerability affected KnowledgeDeliver, a learning management system developed by Digital Knowledge and widely used in Japan across enterprise and education sectors. Researchers said attackers exploited the flaw before security patches became available.
Shared ASP.NET Keys Enabled Remote Code Execution
Researchers tracked the vulnerability as CVE-2026-5426. The issue stemmed from older KnowledgeDeliver deployments that used identical ASP.NET machine keys inside default configuration files.
These machine keys handled ASP.NET ViewState encryption and validation. Because multiple deployments shared the same keys, attackers who obtained the values from one system could potentially target other exposed environments running the platform.
Researchers explained that attackers abused the flaw through ViewState deserialization attacks. By sending specially crafted requests, threat actors could trigger remote code execution on vulnerable servers.
Attackers Installed Web Shell Malware
Google-owned Mandiant discovered the attacks during an incident response investigation involving a compromised KnowledgeDeliver environment.
Researchers observed attackers deploying the Godzilla web shell directly into memory through IIS worker processes. The malware allowed threat actors to execute commands, upload additional payloads, and maintain long-term persistence on compromised systems.
Investigators also discovered signs of application tampering after the intrusion. Attackers modified JavaScript files inside the platform to display fake browser security warnings designed to trick users into installing malicious software disguised as authentication tools.
Cobalt Strike Payloads Appeared During the Intrusion
Researchers said the attacks eventually led to the deployment of Cobalt Strike Beacon malware on affected systems.
Mandiant noted that one payload appeared customized for the targeted organization because the encryption key contained the victim’s name. Researchers believe the attackers carefully prepared portions of the operation instead of relying entirely on automated exploitation.
The incident highlights how exposed web application vulnerabilities can rapidly escalate into broader malware infections affecting both servers and end users.
Older Deployments Remain at Risk
Researchers warned that KnowledgeDeliver deployments installed before February 2026 may remain vulnerable if administrators did not rotate the ASP.NET machine keys or apply updated configurations.
Security experts recommended that organizations:
- Rotate ASP.NET machine keys immediately
- Review logs for suspicious ViewState activity
- Search systems for web shell indicators
- Restrict internet exposure where possible
- Apply updated vendor configurations
Researchers also warned that exposed KnowledgeDeliver servers should be treated as potentially compromised until administrators complete full forensic investigations.
Conclusion
The exploited KnowledgeDeliver flaw demonstrates the serious risks tied to insecure default configurations and shared cryptographic secrets. Attackers used the zero-day vulnerability to deploy web shells, tamper with application files, and install additional malware on vulnerable systems. Researchers believe organizations running older KnowledgeDeliver environments should urgently investigate for signs of compromise and apply all available mitigations immediately.
0 responses to “KnowledgeDeliver Zero-Day Used to Deploy Web Shells”