Digital Knowledge KnowledgeDeliver ViewState deserialization RCE (CVE-2026-5426)
Vulnerability
Summary
Hide ▲
Show ▼
A now-patched CVE-2026-5426 in Digital Knowledge KnowledgeDeliver was exploited as a zero-day, exposing affected LMS deployments to unauthenticated remote code execution through ViewState deserialization.
Related Happenings
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware Activity
First: 26.05.2026 08:19
Last: 26.05.2026 08:19
Sources 1
How related:
In the activity observed in connection with CVE-2026-5426, attackers have been found to deploy the Godzilla (aka BLUEBEAM) web shell, granting them the ability to run commands or drop additional payloads.
About this happening:
The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware ActivityHow related: In the activity observed in connection with CVE-2026-5426, attackers have been found to deploy the Godzilla (aka BLUEBEAM) web shell, granting them the ability to run commands or drop additional payloads.
About this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Timeline
-
26.05.2026 23:07 1 articles · 1d ago
Initial report: KnowledgeDeliver LMS zero-day ViewState deserialization flaw (CVE-2026-5426)
Initial DisclosureIn **late 2025**, attackers used the flaw as a **zero-day** against a **KnowledgeDeliver server** to inject a malicious script before escalating to signed **ViewState** payloads and web-shell deployment.
Show sources
- KnowledgeDeliver flaw exploited as a zero-day to install web shells — www.bleepingcomputer.com — 26.05.2026 23:07
-
26.05.2026 08:19 2 articles · 1d ago
KnowledgeDeliver zero-day used to deploy Godzilla and Cobalt Strike
Initial DisclosureGoogle Mandiant and Google Threat Intelligence Group said an unknown threat actor exploited CVE-2026-5426 in Digital Knowledge KnowledgeDeliver by abusing hard-coded ASP.NET machine keys for ViewState deserialization and unauthenticated remote code execution. The activity deployed the Godzilla (BLUEBEAM) web shell, enabled command execution and payload dropping, and ultimately led to Cobalt Strike Beacon on KnowledgeDeliver deployments prior to February 24, 2026.
Show sources
- KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike — thehackernews.com — 26.05.2026 08:19
- KnowledgeDeliver flaw exploited as a zero-day to install web shells — www.bleepingcomputer.com — 26.05.2026 23:07