KnowledgeDeliver flaw exploited as a zero-day to install web shells

Mandiant reported that KnowledgeDeliver LMS instances used a standardized web.config with a hardcoded ASP.NET machineKey (CVE-2026-5426), enabling ViewState deserialization attacks that were exploited as a zero-day to gain RCE; threat actors used the flaw to install a Cobalt Strike beacon and deploy the Godzilla (BlueBeam) .NET web shell, modifying web content to trick users into a malicious installer and indicating multi-customer exposure.