KnowledgeDeliver LMS zero-day (CVE-2026-5426) exploited with BLUEBEAM web shell

Active exploitation of a zero-day in KnowledgeDeliver LMS (CVE-2026-5426) deploying BLUEBEAM web shell. Root cause: shared ASP.NET machine keys. Mandiant provides detailed IoCs and detection guidance. Targets educational and enterprise LMS deployments.