Login Sign Up

CVE-2021-3943

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Moodle servers by exploiting improper input validation during backup file restoration. It affects Moodle installations running vulnerable versions, potentially compromising the entire system. Any organization using affected Moodle versions for learning management is at risk.

💻 Affected Systems

Products:
  • Moodle
Versions: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Operating Systems: All platforms running Moodle
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Moodle installations with backup restoration functionality enabled, which is typically enabled by default.

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, install malware, or pivot to other systems in the network.

🟠

Likely Case

Unauthorized access to the Moodle server, data exfiltration, and potential disruption of learning services.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and input validation controls are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the ability to upload backup files, which typically requires authentication, but the vulnerability itself allows RCE once a malicious backup is processed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Moodle 3.11.4, 3.10.8, 3.9.11

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=429095

Restart Required: No

Instructions:

1. Backup your Moodle database and files. 2. Download the patched version from moodle.org. 3. Follow Moodle's standard upgrade procedure. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable backup restoration

all

Temporarily disable the ability to restore backup files to prevent exploitation.

Edit config.php and add: $CFG->enablebackuprestore = false;

🧯 If You Can't Patch

  • Implement strict access controls to limit who can upload backup files.
  • Deploy a web application firewall (WAF) with rules to detect and block malicious backup file uploads.

🔍 How to Verify

Check if Vulnerable:

Check your Moodle version via the Site Administration > Notifications page or by examining version.php in the Moodle root directory.

Check Version:

grep "\$release" /path/to/moodle/version.php

Verify Fix Applied:

After patching, verify the version is 3.11.4, 3.10.8, or 3.9.11 or later, and test backup restoration functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual backup file uploads, especially from unexpected IP addresses or users
  • Errors in Moodle logs related to backup processing

Network Indicators:

  • Large file uploads to backup restoration endpoints
  • Suspicious outbound connections from the Moodle server post-upload

SIEM Query:

source="moodle.log" AND ("backup" AND "restore") AND (file_upload OR suspicious_activity)

📊 Metadata

CVE ID: CVE-2021-3943
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: November 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3943, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)