← Back to news

Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment

SecurityWeek26/05/2026, 11:14
Read full article →

Summary

AI-Generated

Key Points:

  • Threat actors exploited a zero-day vulnerability (CVE-2026-5426) in the KnowledgeDeliver learning management system to deploy web shells and backdoors.
  • The exploitation allowed attackers to execute commands on compromised systems, leading to the installation of Godzilla web shells and a Cobalt Strike backdoor, affecting numerous deployments primarily in Japan.
  • Organizations are advised to rotate machine keys, restrict access to the LMS, and monitor for indicators of compromise (IoCs) associated with this attack.

Technical Details: The vulnerability stems from hardcoded 'machineKey' values in the 'web.config' file, which enabled ViewState deserialization attacks. This allowed attackers to craft malicious payloads that compromised the server.

MITRE ATT&CK Techniques:

  • T1203 - Exploitation for Client Execution (Initial Access)
  • T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
  • T1047 - Windows Management Instrumentation (Execution)
  • T1105 - Ingress Tool Transfer (Command and Control)

IOCs Mentioned: None mentioned.

Join the discussion — sign up to comment, upvote, and save articles.

Discussion

or to comment
Loading...

Loading comments...

Join 5,000+ security professionals

Get access to curated threat intel, upvote articles, join discussions, and build your karma in the SOC community.