Login Sign Up

CVE-2025-3641

8.8 HIGH
Remote Code Execution

📋 TL;DR

A remote code execution vulnerability exists in Moodle's Dropbox repository feature, allowing authenticated teachers and managers to execute arbitrary code on the server. This affects Moodle installations with the Dropbox repository enabled and configured.

💻 Affected Systems

Products:
  • Moodle LMS
Versions: Specific versions not detailed in provided references; check Moodle advisory for exact range.
Operating Systems: All platforms running Moodle
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects sites with Dropbox repository enabled; by default, only teachers and managers have access.

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement, and complete system control.

🟠

Likely Case

Unauthorized code execution by malicious insiders or compromised teacher accounts, potentially leading to data exfiltration or further exploitation.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, with exploitation detected and contained.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access as a teacher or manager; complexity is low once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Moodle advisory for specific patched versions.

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=467602

Restart Required: No

Instructions:

1. Review Moodle advisory for patched versions. 2. Update Moodle to the latest secure version. 3. Verify the Dropbox repository is updated.

🔧 Temporary Workarounds

Disable Dropbox Repository

all

Temporarily disable the Dropbox repository feature to mitigate the vulnerability.

Navigate to Moodle admin panel > Site administration > Plugins > Repositories > Manage repositories, and disable Dropbox repository.

🧯 If You Can't Patch

  • Restrict teacher and manager account access to trusted users only.
  • Implement network segmentation to isolate Moodle servers and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check if Dropbox repository is enabled and if Moodle version is within the affected range per Moodle advisory.

Check Version:

Check Moodle version via admin panel or by viewing moodle/version.php file.

Verify Fix Applied:

Confirm Moodle is updated to a patched version and Dropbox repository is either disabled or updated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads or code execution attempts in Moodle logs related to Dropbox repository.

Network Indicators:

  • Suspicious outbound connections from Moodle server post-exploitation.

SIEM Query:

Search for events where source_ip is Moodle server and destination_port is unusual or protocol is unexpected.

📊 Metadata

CVE ID: CVE-2025-3641
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
EPSS Score: 0.52% exploit probability (66.3th percentile)
Published: April 25, 2025
Last Updated: June 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3641, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)