Threats

KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

A vulnerability in the KnowledgeDeliver Learning Management System, tracked as CVE-2026-5426, has been actively exploited by threat actors to deploy advanced post-exploitation tooling. Attackers used the initial foothold to install the Godzilla webshell for persistent access and Cobalt Strike beacons for command-and-control and lateral movement capabilities. The exploitation predates February 24, 2026, suggesting the vulnerability was either a zero-day at the time of initial compromise or was exploited rapidly after disclosure. LMS platforms represent an attractive target because they often store personally identifiable information for large user populations and typically sit outside the scope of aggressive vulnerability management programs. Organizations running KnowledgeDeliver should treat this as a critical incident requiring immediate investigation for indicators of prior compromise, not just patching.

View on Graph

Overview

  • A vulnerability in the KnowledgeDeliver Learning Management System, tracked as CVE-2026-5426, has been actively exploited by threat actors to deploy advanced post-exploitation tooling.
  • Attackers used the initial foothold to install the Godzilla webshell for persistent access and Cobalt Strike beacons for command-and-control and lateral movement capabilities.
  • The exploitation predates February 24, 2026, suggesting the vulnerability was either a zero-day at the time of initial compromise or was exploited rapidly after disclosure.
  • LMS platforms represent an attractive target because they often store personally identifiable information for large user populations and typically sit outside the scope of aggressive vulnerability management programs.
  • Organizations running KnowledgeDeliver should treat this as a critical incident requiring immediate investigation for indicators of prior compromise, not just patching.

Sources