A high-severity zero-day vulnerability (CVE-2026-5426, CVSS 7.5) in the Digital Knowledge KnowledgeDeliver LMS allows unauthenticated remote code execution via hard-coded ASP.NET machine keys, enabling ViewState deserialization attacks. Threat actors exploited this to deploy a Godzilla web shell and a targeted Cobalt Strike beacon by modifying JavaScript files to deliver a malicious installer. The article does not specify affected or fixed version information.
Vulnerability Management Zero-day vulnerability in Japanese LMS exploited to deploy Cobalt Strike May 26, 2026 Share By SC Staff A high-severity security flaw in Digital Knowledge KnowledgeDeliver, a popular learning management system (LMS) in Japan, was exploited as a zero-day vulnerability, according to Google Mandiant and Google Threat Intelligence Group (GTIG). This exploitation allowed attackers to deploy the Godzilla web shell and ultimately facilitate the installation of a Cobalt Strike beacon, as reported by The Hacker News. The vulnerability, CVE-2026-5426, stems from the use of hard-coded ASP.NET machine keys within the LMS. This allowed for unauthenticated remote code execution through a ViewState deserialization attack. Threat actors could obtain these keys from one compromised instance and use them to attack other internet-facing KnowledgeDeliver deployments. Attackers leveraged this access to inject malicious code, deploy the Godzilla web shell, and escalate privileges. They then modified JavaScript files to display fake security alerts, tricking users into downloading a malicious installer that delivered Cobalt Strike. The payload was encrypted with a key specific to the compromised organization, indicating targeted preparation. Source: The Hacker News SC Staff Related Vulnerability Management Critical vulnerability in Universal Robots’ PolyScope OS allows remote command execution SC Staff May 26, 2026 The vulnerability, tracked as CVE-2026-8153 with a CVSS score of 9.8, affects all PolyScope software versions prior to 5.25.1. Vulnerability Management Ghost CMS vulnerability exploited in large-scale campaign SC Staff May 26, 2026 The vulnerability, identified as CVE-2026-26980, affects Ghost versions 3.24.0 through 6.19.0, allowing unauthenticated attackers to steal admin API keys. Vulnerability Management Ubiquiti patches three critical vulnerabilities in UniFi OS SC Staff May 22, 2026 The vulnerabilities, identified as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, allow for unauthorized system changes, path traversal for accessing underlying system files, and command injection attacks, respectively. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds