CVE-2025-3645
📋 TL;DR
This vulnerability in Moodle allows users to bypass authorization checks in a messaging web service, enabling them to view other users' names and online statuses without proper permissions. It affects Moodle instances with the vulnerable web service enabled, potentially exposing user privacy information.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Mass enumeration of user identities and online presence, enabling targeted social engineering or harassment campaigns against exposed users.
Likely Case
Limited information disclosure where attackers can gather user names and activity patterns, potentially violating privacy expectations.
If Mitigated
Minimal impact if proper network segmentation and access controls limit who can reach the vulnerable endpoint.
🎯 Exploit Status
Exploitation likely requires authenticated access but with lower privileges than intended, making it accessible to many users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Moodle security releases for specific version; typically the latest stable release includes fixes
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=467606
Restart Required: No
Instructions:
1. Update Moodle to the latest patched version via the Moodle admin interface or manual upgrade. 2. Verify the web service capability checks are enforced post-update.
🔧 Temporary Workarounds
Disable vulnerable web service
allTemporarily disable the messaging web service to prevent exploitation until patching.
Navigate to Moodle admin > Site administration > Plugins > Web services > External services, and disable the messaging service.
Restrict access via firewall
linuxLimit network access to the Moodle web service endpoints to trusted IPs only.
Use iptables or similar: iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT; iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual web service requests targeting user data.
- Educate users on privacy risks and review logs for unauthorized access attempts to messaging functions.
🔍 How to Verify
Check if Vulnerable:
Test if users with limited permissions can access the messaging web service to retrieve other users' names and statuses; review Moodle version against security advisories.Check Version:
Check Moodle version via admin interface or by viewing the moodle/version.php file.Verify Fix Applied:
After patching, retest the web service to ensure capability checks now properly restrict access to authorized users only.📡 Detection & Monitoring
Log Indicators:
- Unusual web service requests to messaging endpoints from unauthorized users, spikes in user data queries.
Network Indicators:
- Increased traffic to Moodle web service APIs, especially to user-related endpoints.
SIEM Query:
Example: source="moodle_logs" AND (event="web_service_call" AND service="messaging") AND user_role="low_privilege"