CVE-2026-5426 in KnowledgeDeliver LMS exploits a hardcoded ASP.NET machineKey shipped in every default installation, enabling unauthenticated remote code execution via ViewState deserialization. Vendor and IR disclosures confirm active exploitation including Godzilla in-memory web shell deployment and Cobalt Strike beacon delivery via trojanized installers. A vendor patch has been available since February 24, 2026; any unpatched deployment running a default web.config is actively exploitable and must be treated as a priority remediation.