A zero-day flaw in KnowledgeDeliver LMS (CVE-2026-5426) is being actively exploited to deploy BLUEBEAM, an in-memory web shell that leaves almost no forensic trace. Mandiant linked the attacks to a late-2025 breach, finding that hardcoded ASP.NET machine keys shared across customer installations let attackers forge malicious ViewState payloads and achieve remote code execution without authentication.
Once inside, attackers weakened file permissions, tampered with JavaScript files to push fake security alerts, and infected users with a targeted Cobalt Strike Beacon. The fix is straightforward but urgent: rotate machine keys to unique values per deployment immediately.
Source: Cybersecurity News