Digital Knowledge LMS Zero-Day Deploys Malware

In May 2026, threat actors actively exploited a zero-day vulnerability in the popular Japanese Learning Management System Digital Knowledge KnowledgeDeliver to deliver malware. This high-severity flaw, CVE-2026-5426, enabled attackers to execute remote code on affected servers and deploy a web shell.

The vulnerability stemmed from hard-coded ASP.NET machine keys, a risk Microsoft first documented in February 2025. Consequently, any attacker obtaining these keys from one system could compromise other internet-facing installations.

Google Mandiant and the Google Threat Intelligence Group (GTIG) detailed the attack chain in a report. They stated “An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site.”

Attackers initially used the flaw to deploy the Godzilla web shell. Subsequently, they modified application files to display a fake security alert urging users to install a malicious plugin.

This fraudulent installer then infected machines with Cobalt Strike Beacon. Meanwhile, Google noted “The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization.”

The flaw impacted deployments prior to February 24, 2026, and similar issues have been exploited in other software like Sitecore Experience Manager. This incident highlights the severe risk of using shared secrets in deployment templates across an entire software ecosystem.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Berkshire Sells 16 Stocks in 2026 as New CEO Reshapes Portfolio
• Burry Warns AI Boom Temporary; NVDA Underperforms
• Kelp DAO Recovers $293M in rsETH After Lazarus Hack
• BitMine to Join Russell 1000, Spurring ETF Buying Wave
• Crypto PACs Pour Millions into Texas Runoff Races