CVE-2025-67847
published 2026-01-23CVE-2025-67847: A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.53%
40.6th percentile
A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moodle | moodle | < 4.1.22 | 4.1.22 |
| moodle | moodle | — | — |
| moodle | moodle | >= 0 < 4.1.22 | 4.1.22 |
| moodle | moodle | >= 4.2.0-beta < 4.4.12 | 4.4.12 |
| moodle | moodle | >= 4.4.0 < 4.4.12 | 4.4.12 |
| moodle | moodle | >= 4.5.0 < 4.5.8 | 4.5.8 |
| moodle | moodle | >= 4.5.0-beta < 4.5.8 | 4.5.8 |
| moodle | moodle | >= 5.0.0 < 5.0.4 | 5.0.4 |
| moodle | moodle | >= 5.0.0-beta < 5.0.4 | 5.0.4 |
| moodle | moodle | >= 5.1.0-beta < 5.1.1 | 5.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor access to Moodle's restore interface for unexpected or unauthorized restore operations, which is the attack vector for this RCE vulnerability. ↗
- →Alert on server-side code execution originating from Moodle core restore routines, indicating exploitation of insufficient restore input validation. ↗
- ·No public exploit is currently available for this CVE, reducing immediate exploitation risk but not eliminating it. ↗
- ·Exploitation requires an authenticated attacker with access to the Moodle restore interface; restrict this privilege to trusted users only. ↗
- ·Fixes are available: Composer fix added January 23, 2026 and Nix fix added March 9, 2026. Patch immediately. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Moodle affected by a code injection vulnerability
ghsa·2026-01-23
CVE-2025-67847 [HIGH] CWE-94 Moodle affected by a code injection vulnerability
Moodle affected by a code injection vulnerability
A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.
OSV
Moodle affected by a code injection vulnerability
osv·2026-01-23
CVE-2025-67847 [HIGH] Moodle affected by a code injection vulnerability
Moodle affected by a code injection vulnerability
A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.
OSV
CVE-2025-67847: A flaw was found in Moodle
osv·2026-01-23·CVSS 8.8
CVE-2025-67847 [HIGH] CVE-2025-67847: A flaw was found in Moodle
A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-67847 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-67847 [HIGH] CVE-2025-67847 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67847 :
PHP vulnerability analysis and mitigation
A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.
Source : NVD
## 8.8
Score
Published January 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
moodle
moodle/moodle
Sources
NVD
Composer Severit
Bugzilla
CVE-2025-67847 moodle: Moodle: Remote Code Execution via insufficient restore input validation [fedora-42]
bugzilla·2025-12-19·CVSS 8.8
CVE-2025-67847 [HIGH] CVE-2025-67847 moodle: Moodle: Remote Code Execution via insufficient restore input validation [fedora-42]
CVE-2025-67847 moodle: Moodle: Remote Code Execution via insufficient restore input validation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's polic
2026-01-23
Published