CVE-2025-67847
📋 TL;DR
This vulnerability allows attackers with access to Moodle's restore interface to execute arbitrary code on the server due to insufficient input validation. Successful exploitation could lead to complete compromise of the Moodle application. All Moodle installations with the restore feature enabled are affected.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary code, access/modify all data, install backdoors, and pivot to other systems.
Likely Case
Attacker gains administrative privileges within Moodle, accesses sensitive student/teacher data, and modifies course content.
If Mitigated
Limited impact if restore interface is disabled or access is restricted to trusted administrators only.
🎯 Exploit Status
Exploitation requires understanding of Moodle restore routines and ability to craft malicious restore data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not yet released
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-67847
Restart Required: No
Instructions:
1. Monitor Moodle security advisories for patch release. 2. Apply patch when available. 3. Verify patch application by testing restore functionality.
🔧 Temporary Workarounds
Disable Restore Interface
allTemporarily disable the restore functionality to prevent exploitation
Navigate to Moodle admin panel > Site administration > Advanced features > Uncheck 'Enable course restore'
Restrict Access to Restore
allLimit restore interface access to trusted administrators only
Configure Moodle permissions to restrict 'moodle/restore:restorecourse' capability to minimal trusted users
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the Moodle restore interface
- Enable detailed logging of all restore activities and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check Moodle version and verify if restore functionality is enabled in Site administration > Advanced featuresCheck Version:
Check Moodle version in Site administration > Notifications or via moodle/admin/index.phpVerify Fix Applied:
After patch application, verify restore functionality works normally with test data and monitor for any unexpected behavior📡 Detection & Monitoring
Log Indicators:
- Unusual restore activities from unexpected users
- Large or malformed restore file uploads
- Multiple failed restore attempts
Network Indicators:
- Unusual traffic patterns to restore endpoints
- Large file uploads to restore interfaces
SIEM Query:
source="moodle" AND (event="restore" OR url="*/backup/restorefile.php") AND (user NOT IN [trusted_admin_list])