KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

Attackers exploited a high-severity vulnerability in Digital Knowledge's KnowledgeDeliver learning management system to deploy Godzilla web shell and Cobalt Strike Beacon malware. The flaw, tracked as CVE-2026-5426 with a CVSS score of 7.5, originated from hard-coded ASP.NET machine keys embedded in the application.

The vulnerability operated as a zero-day before Digital Knowledge released patches. Threat actors leveraged the weakness to gain initial access, install Godzilla, and subsequently deploy Cobalt Strike Beacon for command-and-control operations. Godzilla functions as a flexible web shell offering remote code execution capabilities, while Cobalt Strike Beacon provides adversaries with post-exploitation tools for lateral movement and data exfiltration.

KnowledgeDeliver serves educational institutions and organizations across Japan and internationally. The use of hard-coded cryptographic keys represents a critical design flaw, as attackers can derive session tokens and bypass authentication mechanisms without valid credentials. This allows unauthenticated remote code execution directly on affected systems.

Organizations running unpatched versions face immediate risk. Attackers can compromise servers to establish persistent access, exfiltrate sensitive educational records and personal data, and pivot to connected internal networks. Educational institutions typically store student information, grades, contact details, and institutional research, making them high-value targets.

The exploitation chain demonstrates a sophisticated attack progression. Initial compromise through the LMS provides a foothold within trusted infrastructure. Godzilla deployment enables flexible command execution and reconnaissance. Cobalt Strike Beacon deployment indicates intent for sustained operations and network infiltration.

Digital Knowledge has released patches addressing CVE-2026-5426. Organizations using KnowledgeDeliver should apply updates immediately. Administrators should review access logs for indicators of compromise, including unexpected ASP.NET