Login Sign Up

CVE-2025-67848

8.1 HIGH
Authentication Bypass

📋 TL;DR

This authentication bypass vulnerability in Moodle allows suspended users to authenticate through the LTI Provider, enabling unauthorized access to the system. This affects Moodle instances using LTI authentication where user suspension is a security control.

💻 Affected Systems

Products:
  • Moodle
Versions: Specific affected versions not specified in CVE details, but likely multiple recent versions
Operating Systems: All platforms running Moodle
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Moodle instances with LTI Provider authentication enabled and suspended user accounts

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Suspended malicious users regain full access to the platform, potentially accessing sensitive student data, modifying grades, or disrupting learning activities.

🟠

Likely Case

Suspended users bypass restrictions to access course materials, submit assignments, or participate in forums they should be blocked from.

🟢

If Mitigated

Minimal impact if LTI authentication is disabled or suspended users have limited permissions even when authenticated.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a suspended user account and LTI authentication access

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Moodle security advisory for specific fixed version

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=471298

Restart Required: No

Instructions:

1. Check Moodle security advisory for patch version. 2. Update Moodle to the patched version. 3. Verify LTI authentication now properly checks user suspension status.

🔧 Temporary Workarounds

Disable LTI Provider Authentication

all

Temporarily disable LTI authentication until patch is applied

Navigate to Site administration > Plugins > Authentication > Manage authentication
Disable LTI Provider authentication method

Restrict LTI Access

all

Limit LTI authentication to specific trusted sources only

Configure LTI tool settings to restrict to approved external tools only

🧯 If You Can't Patch

  • Monitor authentication logs for suspended users authenticating via LTI
  • Implement additional access controls for suspended user accounts

🔍 How to Verify

Check if Vulnerable:

Test if a suspended user account can authenticate through LTI Provider

Check Version:

Check Moodle version in Site administration > General > About Moodle

Verify Fix Applied:

Verify suspended users are properly blocked when attempting LTI authentication

📡 Detection & Monitoring

Log Indicators:

  • Suspended user accounts successfully authenticating via LTI
  • Unusual LTI authentication patterns

Network Indicators:

  • LTI authentication requests from unexpected sources

SIEM Query:

auth_method="LTI" AND user_status="suspended" AND result="success"

📊 Metadata

CVE ID: CVE-2025-67848
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-280
EPSS Score: 0.03% exploit probability (9.1th percentile)
Published: February 3, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67848, you might also want to check these:

CVE-2025-46066 9.9

A privilege escalation vulnerability in Automai Director v.25.2.0 allows remote attackers to gain el...

Same vulnerability type (CWE-280)
CVE-2024-25108 9.9

This CVE describes an authorization bypass vulnerability in Pixelfed that allows attackers to access...

Same vulnerability type (CWE-280)
CVE-2024-24116 9.8

A privilege escalation vulnerability in Ruijie RG-NBS2009G-P switches allows remote attackers to gai...

Same vulnerability type (CWE-280)