KnowledgeDeliver RCE via CVE-2024-52648 — Mitigation Guide

A critical Zero-Day vulnerability in KnowledgeDeliver, a prominent learning management system (LMS) developed by Digital Knowledge, has been exploited in the wild to deploy persistent backdoors. According to BleepingComputer, the flaw allowed attackers to gain unauthorized access to servers and install the Godzilla web shell, a sophisticated tool used for long-term compromise and data exfiltration.

Technical Analysis of CVE-2024-52648

The vulnerability, tracked as CVE-2024-52648, is an unauthenticated file upload flaw located within the application’s file handling logic. The vulnerability carries a CVSS score of 9.8, reflecting its high impact and ease of exploitation. The flaw specifically resides in the /knowledge-deliver/v7/ext/un/upload endpoint, which failed to adequately validate user-supplied files or verify the authorization of the requesting party.

By sending a crafted HTTP POST request to this endpoint, an attacker can upload arbitrary files to the server’s web root. In observed attacks, threat actors uploaded JavaServer Pages (JSP) files. Because these files are stored in a directory accessible to the web server, the attacker can subsequently trigger the execution of the uploaded script by navigating to its URL. This leads directly to RCE, allowing the attacker to execute system-level commands with the privileges of the web service user.

The Godzilla Web Shell Deployment

Once the initial RCE is achieved, attackers have been observed deploying the Godzilla web shell. Godzilla is a feature-rich shell manager that uses AES encryption for its C2 communication, making it significantly harder for traditional network security tools to inspect the traffic. It provides the attacker with a suite of capabilities, including file management, database interaction, and the ability to execute additional payloads in memory.

In this campaign, the IoC identified suggests that the attackers targeted specific Japanese infrastructure, utilizing the shell to maintain persistence and potentially move laterally within the affected networks. The stealthy nature of Godzilla means that once installed, it can remain undetected for extended periods unless the SOC is specifically monitoring for anomalous JSP file creation in temporary or upload-related directories.

How to detect CVE-2024-52648 exploit

Security teams should focus on identifying unauthorized file creation events within the KnowledgeDeliver directory structure. To understand how to detect CVE-2024-52648 exploit attempts, analysts should review web server logs for POST requests directed at /knowledge-deliver/v7/ext/un/upload from unfamiliar IP addresses. Furthermore, searching for JSP files that contain unusual strings or encrypted payloads—common indicators of the Godzilla web shell—is a high-priority task.

Automated scanning of the /knowledge-deliver/ directory for any JSP files created recently can provide early warning of a compromise. Defenders should also look for outbound traffic patterns that match the typical behavior of Godzilla’s encrypted heartbeats, though this may be difficult without TLS inspection.

KnowledgeDeliver LMS RCE mitigation Steps

The primary method for KnowledgeDeliver LMS RCE mitigation is the immediate application of security patches provided by Digital Knowledge. The vendor has released updates to address the flaw in the following versions:

• KnowledgeDeliver 7: Upgrade to version 7.0.1 or later.
• KnowledgeDeliver 6: Upgrade to version 6.10.1 or later.

If immediate patching is not feasible, organizations should consider implementing a Web Application Firewall (WAF) rule to block all unauthenticated traffic to the /ext/un/upload path. However, this should only be viewed as a temporary measure until the core application can be updated. Additionally, ensuring that the web server runs with the least privilege necessary can limit the impact if an attacker successfully uploads a shell, preventing them from accessing sensitive system configuration files or performing Lateral Movement.