Date of Disclosure: August 27, 2024
CVE-ID: CVE-2024-43425
Issue Name and Description: Moodle Calculated Questions Remote Code Execution Vulnerability
Asset Description: Moodle is an open-source learning management system (LMS) widely used in educational institutions, corporations, and government organizations worldwide. It provides a comprehensive platform for creating and managing online courses, delivering content, facilitating discussions, and assessing student progress.
Vulnerability Impact: A threat actor could exploit CVE-2024-43425 to execute arbitrary code on affected Moodle instances through calculated question types. This vulnerability poses a significant risk, potentially leading to unauthorized access, data breaches, and complete system compromise if exploited.
Exploitation Details: CVE-2024-43425 is a vulnerability in Moodle that arises from improper handling of calculated question types. An attacker with the ability to create or edit calculated question types could exploit this flaw to inject malicious code, leading to remote code execution on the server. This vulnerability is particularly concerning as it allows authenticated users with specific privileges to execute arbitrary code, potentially compromising the entire system.
There are several PoCs published on GitHub.
Patch Availability: Moodle has released patches to address this vulnerability, specifically versions 4.4.2, 4.3.6, 4.2.9 and 4.1.12. Instances should be updated immediately to the latest patched version.
Censys Perspective:
At the time of writing, Censys observes 238,205 exposed devices online.
To identify potentially vulnerable Moodle instances (the majority do not show their version), the following Censys queries can be used:
References:
