Critical Zero‑Day in KnowledgeDeliver LMS (CVE‑2026‑5426) Enables Godzilla Web Shell & Cobalt Strike Deployment
What It Is – A high‑severity (CVSS 7.5) zero‑day in the KnowledgeDeliver learning‑management system (LMS) allowed attackers to leverage hard‑coded ASP.NET machine keys to forge authentication tokens, upload the Godzilla web shell, and subsequently run Cobalt Strike beacons.
Exploitability – Actively exploited in the wild before vendor‑issued patch; proof‑of‑concept code publicly released.
Affected Products – Digital Knowledge KnowledgeDeliver LMS (all versions prior to 5.3.2) deployed primarily in Japanese educational institutions and corporate training environments.
TPRM Impact – The LMS sits in the supply chain of schools, universities, and enterprises; a compromise can expose student/employee data, serve as a foothold for lateral movement into connected systems, and damage the reputation of the vendor and its customers.
Recommended Actions –
- Apply the vendor’s patch (v5.3.2) immediately.
- Rotate all ASP.NET machine keys and enforce unique keys per deployment.
- Conduct a forensic scan for the Godzilla web shell and Cobalt Strike beacons on all LMS instances.
- Review and tighten network segmentation for LMS traffic.
- Update third‑party risk registers to reflect the new vulnerability and re‑assess risk scores for any organization still using the unpatched LMS.
Source: The Hacker News