A zero-day vulnerability in the KnowledgeDeliver Learning Management System has been actively exploited in the wild to deploy the Bluebeam in-memory web shell, according to Google’s Mandiant threat research team.
The flaw, tracked as CVE-2026-5426, allows unauthenticated remote code execution (RCE) and impacts KnowledgeDeliver deployments that used default ASP.NET configuration settings before February 24, 2026.
KnowledgeDeliver, developed by Japan-based Digital Knowledge, is widely deployed across enterprise and educational environments. Mandiant’s investigation into a breach discovered in late 2025 revealed that the compromise stemmed from insecure cryptographic practices involving the reuse of identical ASP.NET machine keys across multiple customer installations.
According to researchers, older KnowledgeDeliver deployments leveraged a standardized web.config file containing hardcoded machineKey values used by the ASP.NET framework to encrypt and validate ViewState data. Because the same keys were shared across independent customer environments, attackers who extracted the keys from one instance could potentially compromise any other internet-facing deployment.
Threat actors exploited the flaw to inject malicious code into the LMS platform and maintain persistent access. Mandiant observed attackers deploying Bluebeam, a .NET-based in-memory web shell also known as Godzilla, to execute commands and gain deeper control over compromised web servers.
The attackers then used remote scripts to trick users into downloading a fake installer used to deploy the Cobalt Strike Beacon backdoor on victim workstations.
Organizations running older KnowledgeDeliver installations are advised to rotate ASP.NET machine keys, review server logs for signs of compromise, and update affected systems to vendor-patched configurations.