CVE-2024-43425
published 2024-11-07CVE-2024-43425: A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the…
PriorityP276high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
83.34%
99.6th percentile
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moodle | moodle | < 4.1.12 | 4.1.12 |
| moodle | moodle | >= 0 < 4.1.12 | 4.1.12 |
| moodle | moodle | >= 4.2.0 < 4.2.9 | 4.2.9 |
| moodle | moodle | >= 4.2.0-beta < 4.2.9 | 4.2.9 |
| moodle | moodle | >= 4.3.0 < 4.3.6 | 4.3.6 |
| moodle | moodle | >= 4.3.0-beta < 4.3.6 | 4.3.6 |
| moodle | moodle | >= 4.4.0 < 4.4.2 | 4.4.2 |
| moodle | moodle | >= 4.4.0-beta < 4.4.2 | 4.4.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /question/bank/editquestion/question.php containing the PHP system() injection pattern in the answer[0] parameter, specifically the string `(1)->{system(` or URL-encoded equivalent `%7Bsystem%28`. ↗
- →Alert on GET requests to /question/bank/editquestion/question.php with both `wizardnow=datasetitems` and an `a=` query parameter, which is the RCE trigger mechanism passing the OS command. ↗
- →Monitor for the PHP error string `system(): Argument #1 ($command) cannot be empty` in Moodle HTTP responses, which indicates the injected payload is being evaluated by the PHP interpreter. ↗
- →Detect the multi-step exploit chain: sequential requests to /login/index.php → /my/courses.php → /lib/ajax/service.php → /question/bank/editquestion/question.php (POST with qtype=calculated) → question.php?wizardnow=datasetdefinitions → question.php?wizardnow=datasetitems&a= from the same session/IP. ↗
- →Use Shodan query `title:"Moodle"` to identify exposed Moodle instances for proactive asset inventory and patch prioritization. ↗
- ·Exploitation requires an authenticated session with the capability to add or update questions in a Moodle course. Unauthenticated exploitation is not possible. ↗
- ·Affected versions span multiple release branches: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and earlier unsupported versions. Detection rules should not be scoped to a single version. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-43425: A flaw was found in Moodle
osv·2024-11-07·CVSS 8.1
CVE-2024-43425 [HIGH] CVE-2024-43425: A flaw was found in Moodle
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
OSV
Moodle Remote Code Execution vulnerability
osv·2024-11-07
CVE-2024-43425 [HIGH] Moodle Remote Code Execution vulnerability
Moodle Remote Code Execution vulnerability
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
GHSA
Moodle Remote Code Execution vulnerability
ghsa·2024-11-07
CVE-2024-43425 [HIGH] CWE-94 Moodle Remote Code Execution vulnerability
Moodle Remote Code Execution vulnerability
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
No detection rules found.
Exploit-DB
Moodle 4.4.0 - Authenticated Remote Code Execution
exploitdb·2025-07-02·CVSS 8.1
CVE-2024-43425 [HIGH] Moodle 4.4.0 - Authenticated Remote Code Execution
Moodle 4.4.0 - Authenticated Remote Code Execution
---
# Exploit Title: Moodle 4.4.0 - Authenticated Remote Code Execution
# Exploit Author: Likhith Appalaneni
# Vendor Homepage: https://moodle.org
# Software Link: https://github.com/moodle/moodle/releases/tag/v4.4.0
# Tested Version: Moodle 4.4.0
# Affected versions: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11
# Tested On: Ubuntu 22.04, Apache2, PHP 8.2
# CVE: CVE-2024-43425
# References:
# - https://github.com/aninfosec/CVE-2024-43425-Poc
# - https://nvd.nist.gov/vuln/detail/CVE-2024-43425
import argparse
import requests
import re
import sys
import subprocess
from bs4 import BeautifulSoup
import urllib.parse
requests.packages.urllib3.disable_warnings()
def get_login_token(session, login_url):
print("[*] Step 1: GET /logi
Metasploit
Moodle Remote Code Execution (CVE-2024-43425)
metasploit·CVSS 8.1
CVE-2024-43425 [HIGH] Moodle Remote Code Execution (CVE-2024-43425)
Moodle Remote Code Execution (CVE-2024-43425)
This module exploits a command injection vulnerability in Moodle (CVE-2024-43425) to obtain remote code execution. Affected versions include 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and earlier unsupported versions.
Nuclei
Moodle - Remote Code Execution
nuclei·CVSS 8.1
CVE-2024-43425 [HIGH] Moodle - Remote Code Execution
Moodle - Remote Code Execution
Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.
Template:
id: CVE-2024-43425
info:
name: Moodle - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.
impact: |
Authenticated attackers with question creation permissions can craft malicious calculated questions to execute arbitrary commands on the underlying system.
remediation: |
Apply se
No writeups or analysis indexed.
2024-11-07
Published