Ravie LakshmananMay 26, 2026Vulnerability / Threat Intelligence

A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.

The vulnerability, tracked as CVE-2026-5426 (CVSS score: 7.5), stems from the use of hard-coded ASP.NET machine keys, leading to unauthenticated remote code execution via a ViewState deserialization attack. The abuse of publicly disclosed ASP.NET machine keys by threat actors was first documented by Microsoft in February 2025.

"An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site," Google Mandiant and Google Threat Intelligence Group (GTIG) said.

The security flaw impacted Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026. It's worth noting that similar vulnerabilities in Sitecore Experience Manager (XM) and Gladinet CentreStack and TrioFox have also been exploited by threat actors.