A high-severity security flaw in Digital Knowledge KnowledgeDeliver, a popular learning management system (LMS) in Japan, was exploited as a zero-day vulnerability, according to Google Mandiant and Google Threat Intelligence Group (GTIG). This exploitation allowed attackers to deploy the Godzilla web shell and ultimately facilitate the installation of a Cobalt Strike beacon, as reported by The Hacker News.The vulnerability, CVE-2026-5426, stems from the use of hard-coded ASP.NET machine keys within the LMS. This allowed for unauthenticated remote code execution through a ViewState deserialization attack. Threat actors could obtain these keys from one compromised instance and use them to attack other internet-facing KnowledgeDeliver deployments.Attackers leveraged this access to inject malicious code, deploy the Godzilla web shell, and escalate privileges. They then modified JavaScript files to display fake security alerts, tricking users into downloading a malicious installer that delivered Cobalt Strike. The payload was encrypted with a key specific to the compromised organization, indicating targeted preparation.Source: The Hacker News
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



