KnowledgeDeliver LMS flaw exploited to deploy Godzilla and Cobalt Strike

A vulnerability in Digital Knowledge’s KnowledgeDeliver learning management system is being used in active attacks, according to new threat-intelligence reporting.

The flaw, tracked as CVE-2026-5426, was previously documented by the National Vulnerability Database in April and attributed to a hard-coded ASP.NET/IIS machineKey issue that can lead to remote code execution through malicious ViewState deserialization.

What investigators say

The latest reporting says attackers used the issue as a zero-day to gain access, deploy the Godzilla web shell, and then move to Cobalt Strike Beacon for post-exploitation activity.

The story ties the exploitation to KnowledgeDeliver, which Digital Knowledge markets as an LMS product used in Japan. Public reporting also says the activity was linked to Mandiant and Google Threat Intelligence findings.

What is known now

The confirmed record shows the vulnerability exists, affects KnowledgeDeliver, and can support remote code execution. The newer reporting shows it was actively exploited, but the public details remain narrow.

Open questions include which threat actor was responsible, how many organizations were affected, and whether attackers stole data beyond initial web-shell access and Cobalt Strike deployment.

For now, the incident adds another example of a previously known software flaw being turned into a live intrusion path before many users had a chance to respond.