KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

A high-severity security flaw (CVE-2026-5426) in Digital Knowledge KnowledgeDeliver LMS was exploited to deliver Godzilla web shell and deploy Cobalt Strike Beacon. The vulnerability affects ASP.NET machine keys, impacting users of the Learning Management System. Attackers exploited this zero-day vulnerability.

1. CVE-2026-5426 is a high-severity vulnerability in KnowledgeDeliver LMS, stemming from hard-coded ASP.NET machine keys.
2. The vulnerability affects KnowledgeDeliver LMS, with a CVSS score of 7.5, indicating a high impact and moderate complexity.
3. Attackers exploited this zero-day vulnerability to deploy Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.
4. Detection opportunities include monitoring for suspicious network traffic and unusual system behavior, as well as identifying Godzilla web shell and Cobalt Strike Beacon indicators of compromise.

T1210 - Exploitation of Remote Services, T1204 - User Execution

Godzilla web shell, Cobalt Strike Beacon, KnowledgeDeliver LMS version 2026.1.0 and earlier

Apply the latest patch for KnowledgeDeliver LMS, version 2026.1.1 or later, to remediate this vulnerability.