CVE-2025-67853
📋 TL;DR
This vulnerability in Moodle allows remote attackers to bypass rate limiting on confirmation email services, enabling brute-force attacks against user accounts. Attackers can more easily guess or enumerate valid credentials, potentially compromising user accounts. All Moodle instances with vulnerable versions are affected.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Mass account compromise leading to unauthorized access, data theft, privilege escalation, and potential complete system takeover if admin accounts are breached.
Likely Case
Targeted account takeover of specific users through credential guessing, leading to unauthorized access to course materials, personal data, and system resources.
If Mitigated
Limited impact with proper rate limiting, strong passwords, and account lockout policies preventing successful brute-force attacks.
🎯 Exploit Status
Exploitation requires only network access to Moodle; attackers can automate credential guessing attempts without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Moodle security advisory for specific patched version
Vendor Advisory: https://moodle.org/security/
Restart Required: No
Instructions:
1. Check Moodle security advisory for patched version. 2. Backup Moodle installation and database. 3. Update Moodle to patched version via standard upgrade process. 4. Verify functionality post-update.
🔧 Temporary Workarounds
Implement External Rate Limiting
linuxConfigure web server or firewall to limit requests to confirmation email endpoints
# Example for nginx: limit_req_zone $binary_remote_addr zone=moodle:10m rate=10r/m;
# Then apply to location block for confirmation endpoints
Enable Account Lockout
allConfigure Moodle to lock accounts after failed login attempts
# In Moodle admin: Site administration > Security > Site policies > Account lockout threshold
🧯 If You Can't Patch
- Implement network-level rate limiting using WAF or firewall rules
- Enforce strong password policies and multi-factor authentication
🔍 How to Verify
Check if Vulnerable:
Check Moodle version against security advisory; test if confirmation email endpoints accept unlimited requestsCheck Version:
php admin/cli/check.php | grep 'Moodle version'Verify Fix Applied:
Verify Moodle version is patched; test that rate limiting now properly restricts confirmation email requests📡 Detection & Monitoring
Log Indicators:
- High volume of requests to confirmation email endpoints from single IPs
- Multiple failed login attempts followed by confirmation email requests
Network Indicators:
- Unusual patterns of POST requests to /login/confirm.php or similar endpoints
- Bursts of authentication-related traffic
SIEM Query:
source="moodle.log" AND (uri_path="/login/confirm.php" OR uri_path="/auth/email/confirm") | stats count by src_ip | where count > 100