KnowledgeDeliver LMS Zero-Day Used to Deploy Stealthy In-Memory Web Shell

Explore the critical CVE-2026-5426 flaw in KnowledgeDeliver LMS exploited for remote attacks, urging immediate machine key updates.

By Content Team

May 26, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A zero-day flaw in KnowledgeDeliver LMS (CVE-2026-5426) is being actively exploited to deploy BLUEBEAM, an in-memory web shell that leaves almost no forensic trace. Mandiant linked the attacks to a late-2025 breach, finding that hardcoded ASP.NET machine keys shared across customer installations let attackers forge malicious ViewState payloads and achieve remote code execution without authentication.

Once inside, attackers weakened file permissions, tampered with JavaScript files to push fake security alerts, and infected users with a targeted Cobalt Strike Beacon. The fix is straightforward but urgent: rotate machine keys to unique values per deployment immediately.

Source: Cybersecurity News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Massive Supply Chain Attack on Trivy Tool Threatens Thousands of Organizations

Mar 25, 2026

Adobe Rushes Emergency Patch for Acrobat Reader Zero-Day Under Active Attack

Apr 13, 2026

Critical BitLocker Zero-Day Exploits Leave Windows Systems Exposed

May 14, 2026

M&S Technology Chief Quits Less Than a Year After Cyber Attack

Jan 22, 2026