KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon. The vulnerability, tracked as CVE-2026-5426 (CVSS score: 7.5), stems from the use of hard-coded ASP.NET machine keys, leading to

The article reports a now-patched high-severity vulnerability (CVE-2026-5426, CVSS 7.5) in the KnowledgeDeliver LMS, caused by hard-coded, shared ASP.NET machine keys in a vendor-supplied web.config, which enabled unauthenticated ViewState deserialization leading to remote code execution.[1][2] Attackers exploited this zero-day to deploy the Godzilla/BLUEBEAM web shell on internet-facing LMS servers, modify application JavaScript, and ultimately deliver Cobalt Strike beacons to end users.[1][2][4] From a CyberSE.AI perspective, this illustrates AI/ML and education platforms’ broader supply chain risk: shared cryptographic secrets or templates across customer environments can allow a single key leak or config exposure to compromise many tenants, including any AI-driven analytics or recommendation modules integrated into the LMS. Organizations should treat third-party LMS and SaaS platforms as critical components in their AI supply chain, requiring SBOM-level visibility, configuration baselines (e.g., unique keys per deployment), and readiness assessments to ensure that upstream software flaws cannot be used as pivots into AI systems or training data environments.