A newly disclosed zero-day vulnerability in the KnowledgeDeliver Learning Management System (LMS) has been actively exploited in the wild to deploy the BLUEBEAM in-memory web shell, according to Mandiant’s incident response findings.
The flaw, now tracked as CVE-2026-5426, enables unauthenticated remote code execution (RCE) and affects deployments that relied on default ASP.NET configuration settings prior to February 24, 2026.
KnowledgeDeliver, developed by Japan-based Digital Knowledge, is widely used across enterprise and educational environments. Mandiant’s investigation into a late-2025 breach revealed that the root cause of the compromise stemmed from insecure cryptographic practices, specifically the reuse of identical ASP.NET machine keys across multiple customer installations.
These keys are responsible for securing ViewState data, a mechanism that preserves page state between requests in ASP.NET applications.
Because the machineKey values were hardcoded and shared, attackers who obtained these keys from a single instance could forge malicious ViewState payloads and reuse them across other exposed servers.
By crafting a serialized payload and delivering it through the __VIEWSTATE parameter in HTTP requests, the threat actor forced the server to deserialize untrusted data, effectively achieving remote code execution.
This attack chain closely mirrors previously documented ViewState deserialization attacks observed in platforms such as Sitecore and earlier campaigns highlighted by Microsoft involving exposed machine keys.
Following initial access, the attacker deployed BLUEBEAM, a .NET-based web shell also known as Godzilla. Unlike traditional web shells that rely on files stored on disk, BLUEBEAM operates entirely in memory within the IIS worker process (w3wp.exe), significantly reducing its forensic footprint.
The malware communicates through encrypted HTTP POST requests, allowing attackers to execute commands, upload payloads, and maintain persistence without triggering conventional file-based detection mechanisms.
The intrusion did not stop at server-side access. Mandiant observed the attacker modifying file system permissions using icacls to grant broad access rights, effectively weakening security controls on the compromised host.
Additionally, legitimate JavaScript files within the LMS were tampered with to inject malicious code. This code displayed a fraudulent security alert prompting users to install a so-called authentication plugin, while simultaneously loading external scripts from attacker-controlled infrastructure.
This social engineering component led to downstream infections. Users who downloaded the fake plugin were infected with a Cobalt Strike Beacon payload, a widely abused post-exploitation framework.
Notably, the payload was encrypted with a key derived from the victim organization’s name, indicating targeted, pre-compromise reconnaissance by the threat actor.
Detection opportunities for this activity exist but require careful monitoring of application and system behavior. Windows Application logs may contain ASP.NET Event ID 1316 entries indicating ViewState validation failures or anomalies.
In some cases, successfully crafted payloads generated “invalid ViewState” errors that still resulted in deserialization attempts. Mandiant reported recovering encoded payload fragments from these logs, which were linked to BLUEBEAM activity.
Process monitoring is equally critical, as suspicious child processes such as cmd.exe or powershell.exe spawned from w3wp.exe can indicate exploitation. File integrity monitoring may reveal unauthorized modifications to .js, .aspx, or .config files, particularly the insertion of remote script loaders.
Network defenders should also watch for anomalous User-Agent strings, especially those formed by concatenating multiple browser signatures, a pattern consistent with prior ViewState exploitation campaigns.
The only effective remediation for this vulnerability is the immediate rotation of ASP.NET machine keys to unique, cryptographically strong values per deployment.
Organizations are also advised to restrict LMS access to trusted IP ranges and conduct retrospective threat hunting to identify signs of compromise.
A known indicator associated with the campaign includes the BLUEBEAM payload “LoadLibrary.dll” with SHA-256 hash 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2.
This incident underscores the systemic risk posed by shared secrets in software deployment templates. A single exposed key can cascade into widespread compromise across unrelated organizations, reinforcing the need for secure-by-default configurations and continuous monitoring of application-layer threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post KnowledgeDeliver LMS Zero-Day Exploited to Deploy BLUEBEAM Web Shell appeared first on Cyber Security News.
Amazon is offering an incredible price on LG's highest-end OLED TV during its Memorial Day…
A well-known Iranian threat group has found a new way to push malware onto people’s…
A Russian state-sponsored threat group has quietly upgraded one of its most powerful cyber weapons,…
An advocacy group has filed suit against the Trump administration over its decision to reinstate…
Pressure opens in theaters May 29, 2026.You might think actors as different as Robin Williams,…
This website uses cookies.