Hackers Exploit KnowledgeDeliver Zero-Day Vulnerability, Deploy Web Shells
Hackers have exploited a zero-day vulnerability in the KnowledgeDeliver learning management system (LMS), as reported by Google-owned Mandiant. This system, developed by Digital Knowledge, is primarily used in Japan for enterprise and educational e-learning. The vulnerability, identified as CVE-2026-5426 with a CVSS score of 7.5, arises from the use of a standardized 'web.config' file containing hardcoded 'machineKey' values. These keys are crucial for data encryption and signing within the ASP.NET framework. The exploitation allowed threat actors to perform ViewState deserialization attacks, leading to remote code execution. The attackers deployed Godzilla web shells, also known as Bluebeam, which enabled them to execute additional commands and payloads on compromised systems. The attack involved modifying access permissions and injecting malicious scripts into application JavaScript files, ultimately leading to the installation of a Cobalt Strike backdoor. 
