cbcvebase.
CVE-2024-43425
published 2024-11-07

CVE-2024-43425: A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the…

PriorityP276high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
83.34%
99.6th percentile
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.

Affected

8 ranges
VendorProductVersion rangeFixed in
moodlemoodle< 4.1.124.1.12
moodlemoodle>= 0 < 4.1.124.1.12
moodlemoodle>= 4.2.0 < 4.2.94.2.9
moodlemoodle>= 4.2.0-beta < 4.2.94.2.9
moodlemoodle>= 4.3.0 < 4.3.64.3.6
moodlemoodle>= 4.3.0-beta < 4.3.64.3.6
moodlemoodle>= 4.4.0 < 4.4.24.4.2
moodlemoodle>= 4.4.0-beta < 4.4.24.4.2

Detection & IOCsextracted from sources · hover to see the quote

url/question/bank/editquestion/question.php
url/question/bank/editquestion/question.php?wizardnow=datasetdefinitions
commandanswer%5B0%5D=%281%29-%3E%7Bsystem%28%24_GET%5Bchr%2897%29%5D%29%7D
path/question/bank/editquestion/question.php?wizardnow=datasetitems
path/lib/ajax/service.php
cookieMoodleSession
  • Detect exploitation attempts by monitoring POST requests to /question/bank/editquestion/question.php containing the PHP system() injection pattern in the answer[0] parameter, specifically the string `(1)->{system(` or URL-encoded equivalent `%7Bsystem%28`.
  • Alert on GET requests to /question/bank/editquestion/question.php with both `wizardnow=datasetitems` and an `a=` query parameter, which is the RCE trigger mechanism passing the OS command.
  • Monitor for the PHP error string `system(): Argument #1 ($command) cannot be empty` in Moodle HTTP responses, which indicates the injected payload is being evaluated by the PHP interpreter.
  • Detect the multi-step exploit chain: sequential requests to /login/index.php → /my/courses.php → /lib/ajax/service.php → /question/bank/editquestion/question.php (POST with qtype=calculated) → question.php?wizardnow=datasetdefinitions → question.php?wizardnow=datasetitems&a= from the same session/IP.
  • Use Shodan query `title:"Moodle"` to identify exposed Moodle instances for proactive asset inventory and patch prioritization.
  • ·Exploitation requires an authenticated session with the capability to add or update questions in a Moodle course. Unauthenticated exploitation is not possible.
  • ·Affected versions span multiple release branches: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and earlier unsupported versions. Detection rules should not be scoped to a single version.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.