Overview
- Google-owned Mandiant disclosed active exploitation on Tuesday, May 26, 2026, and published indicators of compromise plus mitigation advice for affected organizations.
- The flaw is tracked as CVE-2026-5426 with a CVSS score of 7.5 and stems from hard-coded ASP.NET machineKey values that enabled unauthenticated ViewState deserialization and remote code execution.
- Attackers used the bug to deploy the Godzilla (Bluebeam) .NET web shell, change site JavaScript to show a fake security alert prompting users to install a bogus plugin, and then deliver Cobalt Strike beacons targeted to each victim.
- All KnowledgeDeliver instances deployed before February 24, 2026 are at risk because they used a standardized web.config; Mandiant advises rotating machineKey values, applying vendor updates, restricting internet access to the LMS, and increasing monitoring.
- This incident highlights a recurring risk from shared deployment secrets and follows prior ViewState attacks on platforms such as Sitecore and CentreStack, raising the prospect of more targeted backdoors and wider compromise if keys are not unique and rotated.