HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical Zero-Day in KnowledgeDeliver LMS (CVE-2026-5426) Enables Godzilla Web Shell and Cobalt Strike Deployment

A high‑severity zero‑day (CVE‑2026‑5426) in the KnowledgeDeliver LMS allowed threat actors to install the Godzilla web shell and launch Cobalt Strike beacons. The flaw, rooted in hard‑coded ASP.NET machine keys, was actively exploited before a patch was issued, posing significant data‑exposure and supply‑chain risks for educational and corporate training customers.

LiveThreat™ Intelligence · 📅 May 26, 2026· 📰 thehackernews.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
thehackernews.com

Critical Zero‑Day in KnowledgeDeliver LMS (CVE‑2026‑5426) Enables Godzilla Web Shell & Cobalt Strike Deployment

What It Is – A high‑severity (CVSS 7.5) zero‑day in the KnowledgeDeliver learning‑management system (LMS) allowed attackers to leverage hard‑coded ASP.NET machine keys to forge authentication tokens, upload the Godzilla web shell, and subsequently run Cobalt Strike beacons.

Exploitability – Actively exploited in the wild before vendor‑issued patch; proof‑of‑concept code publicly released.

Affected Products – Digital Knowledge KnowledgeDeliver LMS (all versions prior to 5.3.2) deployed primarily in Japanese educational institutions and corporate training environments.

TPRM Impact – The LMS sits in the supply chain of schools, universities, and enterprises; a compromise can expose student/employee data, serve as a foothold for lateral movement into connected systems, and damage the reputation of the vendor and its customers.

Recommended Actions

  • Apply the vendor’s patch (v5.3.2) immediately.
  • Rotate all ASP.NET machine keys and enforce unique keys per deployment.
  • Conduct a forensic scan for the Godzilla web shell and Cobalt Strike beacons on all LMS instances.
  • Review and tighten network segmentation for LMS traffic.
  • Update third‑party risk registers to reflect the new vulnerability and re‑assess risk scores for any organization still using the unpatched LMS.

Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →