KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

A critical security flaw in Digital Knowledge's Learning Management System (LMS), KnowledgeDeliver, was exploited as a zero-day vulnerability to deploy the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon. The vulnerability, tracked as CVE-2026-5426 with a CVSS score of 7.5, represents a significant threat to organizations using the popular Japanese LMS platform.

The vulnerability stems from the use of hard-coded ASP.NET machine keys in KnowledgeDeliver deployments. This design flaw allows attackers to perform unauthenticated remote code execution through a ViewState deserialization attack. According to Google Mandiant and Google Threat Intelligence Group (GTIG), an unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site.

"The ASP.NET ViewState persists page state across postbacks," explained Google researchers. "When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can make the server deserialize it."

This vulnerability affected KnowledgeDeliver deployments prior to February 24, 2026, and is part of a broader pattern of similar issues in other enterprise software. Similar vulnerabilities in Sitecore Experience Manager (XM), Gladinet CentreStack, and TrioFox have also been exploited by threat actors, indicating a systemic problem with shared secrets in deployment templates.

The exploitation chain begins with attackers obtaining the hard-coded machine keys from one deployment, which can then be used to compromise other internet-facing KnowledgeDeliver instances. In the observed activity, attackers deployed the Godzilla (also known as BLUEBEAM) web shell, granting them the ability to run commands or drop additional payloads on compromised systems.

"The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization," Google noted. This level of customization suggests targeted attacks rather than widespread opportunistic exploitation.

The attack chain continued with attackers executing commands to escalate their control over the web server's file system by granting "Everyone" complete access to the web application directory. They then tampered with an application JavaScript file to include code that displayed a fake security alert, urging users to install a "security authentication plugin."

Simultaneously, the unauthorized modifications enabled the stealthy loading of a malicious script hosted on an attacker-controlled domain. This script convinced users to download a fake installer, ultimately infecting their machines with Cobalt Strike Beacon—a sophisticated post-exploitation tool commonly used by advanced persistent threats.

The exploitation of KnowledgeDeliver highlights the severe risks of using shared secrets in deployment templates. "A single leaked key can compromise an entire ecosystem of installations," Google researchers warned. "By implementing unique secrets and robust endpoint monitoring, organizations can defend against these deserialization attacks."

For organizations using KnowledgeDeliver or similar systems that rely on ASP.NET, the following mitigation strategies are recommended:

1. Ensure all deployments use unique machine keys rather than vendor-provided defaults
2. Implement regular security audits focusing on ViewState deserialization vulnerabilities
3. Deploy web application firewalls with rules to detect and block ViewState tampering
4. Monitor for unusual file system permission changes and unauthorized JavaScript modifications
5. Educate users about the risks of installing browser plugins or security software from untrusted sources

The incident underscores the importance of treating configuration files as sensitive assets that require proper protection. Hard-coded credentials or keys in application code create systemic risks that can be exploited at scale once discovered by threat actors.

Organizations should review their deployments of KnowledgeDeliver and any other systems using ASP.NET to ensure they have applied the latest security patches and implemented proper key management practices. The growing sophistication of these attacks demonstrates that traditional perimeter defenses are no longer sufficient to protect against advanced exploitation techniques targeting application vulnerabilities.