A significant security vulnerability in the Digital Knowledge KnowledgeDeliver platform, a widely used Learning Management System (LMS) in Japan, was recently exploited to execute cyber attacks. This flaw, which has since been addressed, allowed attackers to deploy the Godzilla web shell and Cobalt Strike Beacon.
Understanding the Vulnerability
The vulnerability, identified as CVE-2026-5426 with a CVSS score of 7.5, was due to the use of hard-coded ASP.NET machine keys, which enabled unauthenticated remote code execution via a ViewState deserialization attack. In February 2025, Microsoft first documented the malicious use of these publicly disclosed keys by threat actors.
According to Google Mandiant and the Google Threat Intelligence Group, an unidentified threat actor exploited this flaw to inject harmful code into the LMS, intending to compromise users visiting the platform. The flaw affected KnowledgeDeliver deployments before February 24, 2026.
Impact and Similar Vulnerabilities
This security issue is similar to those found in Sitecore Experience Manager (XM) and Gladinet CentreStack, where threat actors have previously exploited such vulnerabilities. The root cause lies in the standardized web.config file from the vendor, containing machineKey values used by the ASP.NET framework for data encryption and signing.
Once a threat actor gains access to these keys, they can compromise other KnowledgeDeliver instances accessible via the internet. This exploitation has been linked to the deployment of the Godzilla web shell, enabling attackers to execute commands and drop additional malicious payloads.
Consequences and Mitigation Strategies
Attackers utilized this vulnerability to escalate control over the web server’s file system, granting broad access to unauthorized users. They also altered an application JavaScript file to display a misleading security alert, tricking users into downloading a fake security plugin.
The same unauthorized changes allowed a malicious script from an attacker-controlled domain to load stealthily. As a result, users were deceived into downloading a fake installer, leading to the installation of Cobalt Strike Beacon on their systems.
Google highlighted the dangers of shared secrets in deployment templates, emphasizing that a single compromised key could lead to significant security breaches. They recommend using unique secrets and robust endpoint monitoring to defend against similar deserialization attacks in the future.
These incidents underscore the importance of maintaining unique security measures and vigilant monitoring to protect against potential threats in online platforms.
