Summary
Key Points:
- A high-severity zero-day vulnerability (CVE-2026-5426) in Digital Knowledge KnowledgeDeliver LMS was exploited to deploy the Godzilla web shell and Cobalt Strike Beacon.
- The flaw allowed unauthenticated remote code execution through a ViewState deserialization attack, impacting all deployments prior to February 24, 2026, and enabling attackers to compromise multiple instances using hard-coded ASP.NET machine keys.
- Organizations are advised to implement unique secrets for deployments and enhance endpoint monitoring to mitigate risks associated with such vulnerabilities.
Technical Details: CVE-2026-5426 has a CVSS score of 7.5 and allows attackers to exploit hard-coded ASP.NET machine keys for remote code execution by crafting malicious ViewState payloads sent via HTTP requests.
MITRE ATT&CK Techniques:
- T1203 - Exploit Public-Facing Application (Initial Access)
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
- T1041 - Exfiltration Over Command and Control Channel (Exfiltration)
IOCs Mentioned: None mentioned.
Join the discussion — sign up to comment, upvote, and save articles.