Vulnerability Details
Security researchers at Mandiant have uncovered active exploitation of a zero-day vulnerability in the KnowledgeDeliver Learning Management System (LMS). The flaw allows unauthenticated remote code execution on affected servers. KnowledgeDeliver, developed by Digital Knowledge based in Japan, is commonly used in enterprise and educational settings. The root cause of the vulnerability stems from insecure cryptographic practices. The same ASP.NET machine keys were reused across multiple customer installations. These keys are essential for securing ViewState data, which maintains page state between requests. Because the machine key values were hardcoded and shared, attackers who obtained keys from one instance could forge malicious ViewState payloads and reuse them against other exposed servers. By sending a crafted serialized payload through the __VIEWSTATE parameter in HTTP requests, the attacker forces the server to deserialize untrusted data, achieving code execution.
Impact and Scope
After gaining initial access, the attacker deployed a .NET based web shell known as BLUEBEAM, also referred to as Godzilla. Unlike traditional web shells that write files to disk, BLUEBEAM runs entirely in memory within the IIS worker process (w3wp.exe). This makes it much harder to detect with standard file scanning tools. The malware communicates via encrypted HTTP POST requests, enabling the attacker to run commands, upload additional payloads, and maintain persistent access. During the intrusion, Mandiant observed the attacker modifying file system permissions using icacls to grant broad access rights, weakening security controls on the compromised host. Legitimate JavaScript files within the LMS were also tampered with to inject malicious code that displayed a fake security warning. Organizations using KnowledgeDeliver should verify their ASP.NET configuration settings and ensure unique machine keys are used to prevent this attack vector.
Source: Cyber Security News
