Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical Flaw in LMS Exploited for Cyber Attacks

Critical Flaw in LMS Exploited for Cyber Attacks

Posted on May 26, 2026 By CWS

A significant security vulnerability in the Digital Knowledge KnowledgeDeliver platform, a widely used Learning Management System (LMS) in Japan, was recently exploited to execute cyber attacks. This flaw, which has since been addressed, allowed attackers to deploy the Godzilla web shell and Cobalt Strike Beacon.

Understanding the Vulnerability

The vulnerability, identified as CVE-2026-5426 with a CVSS score of 7.5, was due to the use of hard-coded ASP.NET machine keys, which enabled unauthenticated remote code execution via a ViewState deserialization attack. In February 2025, Microsoft first documented the malicious use of these publicly disclosed keys by threat actors.

According to Google Mandiant and the Google Threat Intelligence Group, an unidentified threat actor exploited this flaw to inject harmful code into the LMS, intending to compromise users visiting the platform. The flaw affected KnowledgeDeliver deployments before February 24, 2026.

Impact and Similar Vulnerabilities

This security issue is similar to those found in Sitecore Experience Manager (XM) and Gladinet CentreStack, where threat actors have previously exploited such vulnerabilities. The root cause lies in the standardized web.config file from the vendor, containing machineKey values used by the ASP.NET framework for data encryption and signing.

Once a threat actor gains access to these keys, they can compromise other KnowledgeDeliver instances accessible via the internet. This exploitation has been linked to the deployment of the Godzilla web shell, enabling attackers to execute commands and drop additional malicious payloads.

Consequences and Mitigation Strategies

Attackers utilized this vulnerability to escalate control over the web server’s file system, granting broad access to unauthorized users. They also altered an application JavaScript file to display a misleading security alert, tricking users into downloading a fake security plugin.

The same unauthorized changes allowed a malicious script from an attacker-controlled domain to load stealthily. As a result, users were deceived into downloading a fake installer, leading to the installation of Cobalt Strike Beacon on their systems.

Google highlighted the dangers of shared secrets in deployment templates, emphasizing that a single compromised key could lead to significant security breaches. They recommend using unique secrets and robust endpoint monitoring to defend against similar deserialization attacks in the future.

These incidents underscore the importance of maintaining unique security measures and vigilant monitoring to protect against potential threats in online platforms.

The Hacker News Tags:ASP.NET, Cobalt Strike, Cybersecurity, deserialization attack, Godzilla web shell, LMS, security flaw, threat intelligence, Vulnerability, zero-day exploit

Post navigation

Previous Post: Cloud Atlas APT Exploits Windows for Multiple RDP Sessions
Next Post: Phishing Attacks Exploit RCS and iMessage to Evade Security

Related Posts

Critical RCE Flaws in Cisco ISE and ISE-PIC Allow Unauthenticated Attackers to Gain Root Access Critical RCE Flaws in Cisco ISE and ISE-PIC Allow Unauthenticated Attackers to Gain Root Access The Hacker News
North Korea-linked Supply Chain Attack Targets Developers with 35 Malicious npm Packages North Korea-linked Supply Chain Attack Targets Developers with 35 Malicious npm Packages The Hacker News
Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware The Hacker News
3 Decisions CISOs Need to Make to Prevent Downtime Risk in 2026 3 Decisions CISOs Need to Make to Prevent Downtime Risk in 2026 The Hacker News
RubyGems Halts New Accounts Amid Malicious Package Surge RubyGems Halts New Accounts Amid Malicious Package Surge The Hacker News
Securing Data in the AI Era Securing Data in the AI Era The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • New Windows Attack Method Evades Leading Security Tools
  • Injective Labs GitHub Breach Exposes Crypto Wallets
  • AI Gateways: Emerging Targets for Cyber Attacks
  • Hacker Server Leak Unveils Massive WordPress Breach
  • Critical Linux FUSE Flaw Allows Root Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • New Windows Attack Method Evades Leading Security Tools
  • Injective Labs GitHub Breach Exposes Crypto Wallets
  • AI Gateways: Emerging Targets for Cyber Attacks
  • Hacker Server Leak Unveils Massive WordPress Breach
  • Critical Linux FUSE Flaw Allows Root Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark