CVE-2026-5426 in Digital Knowledge’s KnowledgeDeliver LMS allows unauthenticated remote code execution via ASP.NET ViewState deserialization, exploiting hard-coded machine keys shipped in the vendor’s default web.config. Active exploitation has been confirmed with Godzilla web shell deployment, filesystem permission abuse, JavaScript tampering for watering hole delivery, and Cobalt Strike Beacon installation. Any unpatched KnowledgeDeliver instance is fully compromised by any party who has extracted the static machine key from any other installation of the same product.