KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
CVE-2026-5426 in KnowledgeDeliver LMS lets attackers drop Godzilla web shells and Cobalt Strike via ViewState deserialization — traced to hard-coded ASP.NET machine keys.
What’s new: A high-severity vulnerability (CVE-2026-5426, CVSS score: 7.5) in the Digital Knowledge KnowledgeDeliver LMS has been actively exploited to deploy the Godzilla web shell and Cobalt Strike Beacon. The flaw stems from hard-coded ASP.NET machine keys in the vendor’s default web.config file, allowing unauthenticated remote code execution via ViewState deserialization attacks. All KnowledgeDeliver deployments prior to February 24, 2026 are vulnerable.
Who’s affected
Organisations running Digital Knowledge KnowledgeDeliver LMS — particularly those using the vendor’s standardised web.config with hard-coded machineKey values — are directly at risk of full remote compromise.
What to do
- Patch KnowledgeDeliver to the latest version immediately to close the deserialization attack surface.
- Replace hard-coded machine keys with unique, randomly generated secrets across all instances.
- Enhance endpoint and web server monitoring to detect Godzilla web shell activity or Cobalt Strike beacon callbacks.
