Learning System Flaw Exploited in Attacks

A zero-day flaw in a popular enterprise learning system was used to deploy sophisticated malware like Godzilla and Cobalt Strike.

A critical, previously unknown security vulnerability in the KnowledgeDeliver Learning Management System (LMS) has been actively exploited in real-world attacks. The software, which is widely used in Japan, contained a high-severity flaw tracked as CVE-2026-5426. The root cause was the use of hard-coded ASP.NET machine keys, a fundamental security weakness that allowed attackers to bypass authentication and gain unauthorized access. Once inside, the attackers deployed a web shell known as Godzilla, which provided them with persistent remote control over the compromised server and served as the initial foothold for their campaign.

The exploitation of this vulnerability highlights the severe risks of hard-coded credentials in enterprise software. After establishing access with the Godzilla web shell, the attackers escalated their operation by deploying the Cobalt Strike Beacon. Cobalt Strike is a powerful post-exploitation tool often used by malicious actors to move across a network, steal data, and maintain long-term access. The use of such sophisticated tools indicates a well-resourced attacker. This incident is a critical reminder for organizations to vet their software supply chain and for developers to avoid insecure coding practices.

This attack shows how a single flaw, like a hard-coded key, can be a gateway for sophisticated tools like Cobalt Strike in enterprise systems.

Companies using the affected LMS faced significant security risks, including potential data breaches and network compromise from advanced persistent threats.