CVE-2026-5426 is a critical unauthenticated RCE vulnerability in KnowledgeDeliver LMS affecting all deployments prior to February 24, 2026. A hardcoded ASP.NET machine key was distributed identically across all customer installations, enabling any attacker with knowledge of the key to forge malicious ViewState payloads and achieve unauthenticated remote code execution on IIS. Post-exploitation activity observed in the wild includes Godzilla web shell deployment and Cobalt Strike beacon delivery via trojanized installers served to LMS end users.