KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

A high-severity zero-day (CVE-2026-5426, CVSS 7.5) in the KnowledgeDeliver LMS—caused by vendor-shipped hard-coded ASP.NET machineKey values—was exploited in the wild to perform ViewState deserialization RCE. Threat actors deployed the Godzilla (BLUEBEAM) web shell, altered JavaScript to push a fake security plugin, and delivered a tailored Cobalt Strike Beacon payload, demonstrating the risk of shared secrets across deployments and the need for unique secrets and enhanced endpoint monitoring.