CVE-2025-32044
📋 TL;DR
CVE-2025-32044 is an information disclosure vulnerability in Moodle where unauthenticated attackers can retrieve sensitive user data including names, contact information, and hashed passwords via stack traces from specific API calls. This affects Moodle sites with PHP configured without zend.exception_ignore_args = 1. The vulnerability allows unauthorized access to sensitive information without authentication.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest sensitive user data including hashed passwords, potentially enabling credential stuffing attacks, identity theft, and privacy violations across all users on vulnerable Moodle instances.
Likely Case
Unauthenticated attackers would retrieve limited user data from stack traces, potentially exposing names, email addresses, and hashed passwords for users whose data appears in error responses.
If Mitigated
With proper PHP configuration (zend.exception_ignore_args = 1), no sensitive data would be exposed in stack traces, preventing information disclosure.
🎯 Exploit Status
Exploitation requires making specific API calls that trigger stack traces containing sensitive data
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references; check Moodle security advisories
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-32044
Restart Required: No
Instructions:
1. Update Moodle to the latest patched version
2. Apply security patches from Moodle's official releases
3. Verify PHP configuration has zend.exception_ignore_args = 1
🔧 Temporary Workarounds
Configure PHP to hide arguments in exceptions
linuxSet zend.exception_ignore_args = 1 in php.ini to prevent sensitive data from appearing in stack traces
echo 'zend.exception_ignore_args = 1' >> /etc/php/php.ini
systemctl restart php-fpm
Disable detailed error reporting
allConfigure Moodle and PHP to suppress detailed error messages and stack traces
Set display_errors = Off in php.ini
Configure Moodle debugging to minimum level
🧯 If You Can't Patch
- Configure PHP with zend.exception_ignore_args = 1 in php.ini
- Implement network-level restrictions to limit API access to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check if zend.exception_ignore_args is set to 0 or not present in php.ini configurationCheck Version:
Check Moodle version via admin interface or version.php fileVerify Fix Applied:
Verify zend.exception_ignore_args = 1 is set in php.ini and test that API calls no longer return sensitive data in error responses📡 Detection & Monitoring
Log Indicators:
- Unusual API call patterns to endpoints that trigger exceptions
- Multiple failed API requests from single sources
- Error logs containing stack traces with user data
Network Indicators:
- Unusual volume of requests to Moodle API endpoints from unauthenticated sources
- Patterns of requests designed to trigger exceptions
SIEM Query:
source="moodle_logs" AND (message="*exception*" OR message="*stack trace*") AND src_ip NOT IN allowed_ips