EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

Zero-day vulnerability in KnowledgeDeliver LMS exploited to deploy Cobalt Strike and Godzilla web shell

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-05-26 05:19 UTCUpdated 2026-05-26 16:18 UTC
rss
cveexploitsmalwareincident_response
Trend in the last 24h
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (3)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (3 domains)domains are deduped. counts indicate coverage, not truth.
3 top sources shown
View all evidence
Overview

A critical zero-day vulnerability (CVE-2026-5426) in the Japanese Learning Management System KnowledgeDeliver was actively exploited before a patch was released.

Score total
1.29
Momentum 24h
3
Posts
3
Origins
3
Source types
1
Duplicate ratio
0%
Why now
  • The vulnerability was actively exploited before a patch was released, increasing urgency for remediation.
  • Recent disclosures raise awareness for organizations using KnowledgeDeliver LMS to update defenses.
  • Attackers leveraged the flaw to deploy sophisticated malware, reflecting evolving threat tactics.
Why it matters
  • Exploitation of a zero-day in an LMS underscores risks to educational and corporate sectors.
  • Hard-coded machine keys represent a critical security misconfiguration that can lead to remote code execution.
  • Deployment of Cobalt Strike signals potential for advanced persistent threats and lateral movement within networks.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: medium
Recurring claims
  • A zero-day vulnerability in KnowledgeDeliver LMS was exploited to deploy web shells and Cobalt Strike.
  • The vulnerability is due to hard-coded ASP.NET machine keys enabling ViewState deserialization attacks leading to remote code execution.
How sources frame it
  • The Hacker News: neutral
Consolidated multiple reports to provide a clear summary of the zero-day exploitation and its implications.
All evidence
All evidence
Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment
SecurityWeek · securityweek.com · 2026-05-26 11:14 UTC
KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
thehackernews · thehackernews.com · 2026-05-26 05:19 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 3Origin domains: 3Duplicates: -
Showing 3 / 0
Top publishers (this list)
  • SC Media (1)
  • SecurityWeek (1)
  • thehackernews (1)
Top origin domains (this list)
  • scworld.com (1)
  • securityweek.com (1)
  • thehackernews.com (1)