KnowledgeDeliver LMS Zero-Day Used to Deploy Godzilla & Cobalt Strike

A critical high-severity vulnerability (CVE-2026-5426, CVSS 7.5) in Digital Knowledge KnowledgeDeliver, a Learning Management System (LMS) widely used in Japan, was actively exploited as a zero-day to deliver the Godzilla (aka BLUEBEAM) web shell and ultimately deploy Cobalt Strike Beacon. The flaw, which impacted deployments prior to February 24, 2026, stemmed from hard-coded ASP.NET machine keys in a standardized web.config file provided by the vendor. This configuration allowed threat actors to perform unauthenticated remote code execution via ViewState deserialization attacks. Google Mandiant and Google Threat Intelligence Group (GTIG) attributed this campaign to an unknown threat actor who leveraged the access to inject malicious code into the LMS platform, specifically targeting users visiting compromised sites. Similar vulnerabilities have been documented in Sitecore Experience Manager (XM), Gladinet CentreStack, and TrioFox, highlighting a broader pattern of hard-coded secrets in deployment templates. Organizations can verify their exposure by running a port scanner to identify internet-facing LMS instances and a WHOIS lookup to assess domain ownership and configuration history.

The attack chain began with the exploitation of the ViewState deserialization vulnerability. When the machineKey is known, threat actors can craft malicious ViewState payloads and send them via the __VIEWSTATE HTTP parameter, causing the server to deserialize and execute the malicious code. Once inside the system, the attackers deployed the Godzilla web shell, granting them persistent command execution capabilities and the ability to drop additional payloads. Security researchers observed the threat actors escalating privileges by granting "Everyone" complete access to the web application directory, effectively bypassing file system restrictions. Subsequently, the attackers tampered with application JavaScript files to inject a fake security alert urging users to install a "security authentication plugin"—a social engineering tactic designed to trick legitimate users into downloading malware.

The final stage of the attack involved loading a malicious script from an attacker-controlled domain, which convinced users to download a fake installer that infected their machines with Cobalt Strike Beacon. Notably, the payload was encrypted using a key bearing the name of the compromised organization, indicating the attack was specifically customized for the target. Microsoft first documented the abuse of publicly disclosed ASP.NET machine keys in February 2025, warning that attackers who obtain keys from one deployment could compromise other internet-facing instances using the same configuration. Security teams should audit their SSL/TLS configuration and verify that no hard-coded secrets remain in production web.config files. Administrators can also use an privacy checkup to ensure their LMS deployments are not leaking sensitive information or exposing unnecessary attack surfaces. The incident underscores the severe risks of using shared secrets in deployment templates and the importance of regularly rotating cryptographic keys in ASP.NET applications.