Hackers used a previously unknown flaw in Digital Knowledge’s KnowledgeDeliver learning platform to break into servers and plant persistent malware. Mandiant says CVE-2026-5426 affects KnowledgeDeliver deployments before February 24, 2026, because a standardized ASP.NET web.config file contained hardcoded machineKey values, enabling ViewState deserialization attacks for remote code execution. The observed intrusions deployed Godzilla web shells, altered JavaScript to show fake plugin alerts, and ultimately installed a tailored Cobalt Strike backdoor.
Why it matters: Organizations using KnowledgeDeliver, especially enterprise and education users, may already be compromised, not just vulnerable. Admins should urgently rotate machine keys, restrict access to the LMS, hunt for the published indicators of compromise, and check for web shells, modified JavaScript, and follow-on malware.
Ionut Ilascu
2026.05.26
98% relevant
This article is a direct update on the same Mandiant-reported event, adding technical detail that the unauthenticated flaw was a ViewState deserialization issue caused by shared hardcoded ASP.NET machine keys, and that attackers deployed the Godzilla web shell, altered JavaScript to push a fake 'security authentication plugin,' and delivered Cobalt Strike.
Ionut Arghire
2026.05.26
100% relevant
This article establishes a distinct new incident: in-the-wild exploitation of KnowledgeDeliver zero-day CVE-2026-5426, including the attack chain, malware used, affected versions, and mitigation steps.
← Back to all stories