- A critical vulnerability (CVE-2026-5426) in the Japanese LMS Digital Knowledge KnowledgeDeliver allowed unauthenticated remote code execution.
- Attackers exploited this flaw as a zero-day to deploy the Godzilla web shell and ultimately install the Cobalt Strike Beacon malware on users’ machines.
- The root cause was hard-coded ASP.NET machine keys in the vendor’s web.config file, allowing a secret from one deployment to compromise others.
- Google researchers confirmed the attack, noting the final payload was customized for the targeted organization.
In May 2026, threat actors actively exploited a zero-day vulnerability in the popular Japanese Learning Management System Digital Knowledge KnowledgeDeliver to deliver malware. This high-severity flaw, CVE-2026-5426, enabled attackers to execute remote code on affected servers and deploy a web shell.
The vulnerability stemmed from hard-coded ASP.NET machine keys, a risk Microsoft first documented in February 2025. Consequently, any attacker obtaining these keys from one system could compromise other internet-facing installations.
Google Mandiant and the Google Threat Intelligence Group (GTIG) detailed the attack chain in a report. They stated “An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site.”
Attackers initially used the flaw to deploy the Godzilla web shell. Subsequently, they modified application files to display a fake security alert urging users to install a malicious plugin.
This fraudulent installer then infected machines with Cobalt Strike Beacon. Meanwhile, Google noted “The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization.”
The flaw impacted deployments prior to February 24, 2026, and similar issues have been exploited in other software like Sitecore Experience Manager. This incident highlights the severe risk of using shared secrets in deployment templates across an entire software ecosystem.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
