A high-severity zero-day vulnerability in KnowledgeDeliver, a learning management system (LMS) developed by Digital Knowledge and widely used across Japanese educational institutions and corporations, has been actively exploited in the wild to install the Godzilla web shell and deploy Cobalt Strike Beacon implants.
The vulnerability, now patched, allowed attackers to achieve unauthenticated remote code execution (RCE) on affected servers. Researchers from The Hacker News reported the flaw had been exploited prior to the availability of a patch, making it a zero-day at the time of the observed attacks.
Technical Overview
KnowledgeDeliver is a commercial LMS platform with a significant install base in Japan, used for corporate training programs, higher education, and government-affiliated learning initiatives. Its relatively high-value target profile — often containing employee or student PII and authentication credentials — makes it attractive for threat actors looking to establish persistent footholds in organizational networks.
The exploited vulnerability allowed unauthenticated attackers to inject malicious code into the application server. Upon successful exploitation, the attackers deployed:
Godzilla Web Shell — A feature-rich, open-source web shell written in Java, commonly used by Chinese-nexus threat actors. Godzilla supports encrypted communications, file management, command execution, and database access, making it a powerful post-exploitation tool once installed on a server.
Cobalt Strike Beacon — A commercial penetration testing framework widely misused by threat actors. Once deployed, Cobalt Strike enables attackers to perform lateral movement, credential harvesting, and establish persistent command-and-control (C2) channels within compromised environments.
The combination of Godzilla for initial persistence and Cobalt Strike for deeper network penetration is a well-documented pattern among advanced persistent threat (APT) groups with links to state-sponsored operations.
Attribution and Context
Researchers noted the tools and techniques used in these attacks align with tactics, techniques, and procedures (TTPs) associated with China-linked threat actors, though no definitive attribution has been publicly confirmed. The use of Godzilla in particular is frequently observed in intrusion sets attributed to Chinese APT clusters.
The targeting of Japanese organizations and LMS platforms follows a broader trend of state-aligned actors focusing on educational and corporate training infrastructure as pivot points into more sensitive internal systems.
Patch Status
Digital Knowledge has released a patch for the vulnerability. Organizations running KnowledgeDeliver are urged to apply the update immediately. The CVE identifier for this vulnerability has not been publicly disclosed in current reporting but is expected to be published alongside the vendor's security advisory.
Indicators of Compromise
Organizations should inspect their KnowledgeDeliver servers for:
- Unexpected
.jspor.jspxfiles in web-accessible directories - Unusual outbound network connections on non-standard ports
- Godzilla web shell artifacts: encrypted POST requests to uncommon URI paths
- Cobalt Strike beacon patterns: HTTP/S callbacks at regular intervals to external IPs
- Evidence of credential dumping or lateral movement from the LMS host
Recommendations
- Apply the patch immediately — Update to the latest version of KnowledgeDeliver as soon as possible
- Audit web-accessible directories for unauthorized files or recently modified application code
- Review server access logs for unusual requests predating the patch deployment
- Isolate the LMS server from sensitive internal systems until remediation is confirmed
- Rotate credentials stored in or accessible via the LMS platform, including integration service accounts
- Deploy endpoint detection on the LMS host to identify Cobalt Strike beacon activity
Source: The Hacker News