KnowledgeDeliver flaw exploited as a zero-day to install web shells

Attackers exploited a critical zero-day vulnerability in KnowledgeDeliver, a learning management system, to install the Godzilla web shell on compromised servers. The flaw remains unpatched, leaving organizations running the software exposed to active exploitation.

KnowledgeDeliver operates as a web-based LMS used by educational institutions and enterprises to manage course content and student data. The zero-day allows remote attackers to achieve code execution without authentication. Once inside, threat actors deployed Godzilla, a sophisticated web shell that grants persistent access and command execution capabilities.

Web shells like Godzilla function as backdoors. They enable attackers to execute arbitrary commands on the server, download sensitive files, and maintain access even after the initial vulnerability is patched. Godzilla specifically includes obfuscation features to evade detection by security tools.

Organizations running KnowledgeDeliver face immediate risk. The vulnerability affects systems accessible from the internet, making detection straightforward for attackers. Educational institutions storing student records, course materials, and personal information face particularly high exposure. Compromised servers could lead to data theft, system disruption, and lateral movement into connected networks.

The attack chain follows a common pattern. Attackers scan the internet for vulnerable KnowledgeDeliver instances, exploit the zero-day to gain access, then deploy Godzilla to establish persistence. From there, they can exfiltrate data or use the compromised server as a staging point for broader attacks.

Users of KnowledgeDeliver should immediately assume their systems are at risk if exposed to the internet. Network monitoring for suspicious outbound connections or unusual command execution may detect Godzilla activity. Organizations should isolate affected servers from sensitive networks and conduct forensic analysis for signs of compromise.

The vendor must release a patch urgently. Until then, network segmentation and restricting