CVE-2025-32045 identifies a missing authorization vulnerability in Moodle, a widely used open-source learning management system (LMS). The issue specifically affects Moodle versions 4.1.17, 4.3.11, 4.4.7, and 4.5.3. The vulnerability stems from insufficient capability checks in certain grade report modules, which are responsible for displaying student grades. Due to this flaw, users who lack the necessary permissions can access grade information that is intended to be hidden or restricted. The vulnerability can be exploited remotely without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is limited to confidentiality, with no effect on data integrity or system availability. While no public exploits have been reported, the flaw poses a privacy risk by exposing sensitive academic performance data. Moodle administrators should review and update their systems to the latest patched versions once available, or apply recommended configuration changes to enforce stricter access controls on grade reports. This vulnerability highlights the importance of rigorous authorization checks in LMS platforms to protect student data privacy.

The primary impact of CVE-2025-32045 is the unauthorized disclosure of confidential grade information within Moodle environments. This breach of confidentiality can undermine trust in educational institutions and potentially violate privacy regulations such as FERPA (U.S.) or GDPR (EU). Although the vulnerability does not affect data integrity or availability, the exposure of hidden grades can lead to reputational damage, student dissatisfaction, and possible legal consequences for organizations. Since the flaw allows remote exploitation without authentication, attackers or unauthorized users could systematically harvest sensitive grade data if the vulnerability is left unpatched. Educational institutions, certification bodies, and any organizations relying on Moodle for secure grade management are at risk. The scope of affected systems includes all Moodle installations running the specified vulnerable versions, which are widely deployed globally. The absence of known exploits reduces immediate risk, but the medium severity rating warrants timely remediation to prevent potential abuse.

1. Apply official patches from Moodle as soon as they are released for versions 4.1.17, 4.3.11, 4.4.7, and 4.5.3 to address the missing authorization checks. 2. In the interim, restrict access to grade report modules by adjusting role permissions to limit visibility only to trusted users such as instructors and administrators. 3. Conduct a thorough audit of user roles and capabilities related to grade viewing to ensure no unauthorized roles have access. 4. Implement network-level access controls to limit exposure of Moodle instances to trusted networks or VPNs, reducing the attack surface. 5. Monitor Moodle logs for unusual access patterns to grade reports, especially from accounts or IP addresses that should not have such permissions. 6. Educate Moodle administrators and instructors about the importance of maintaining strict access controls on sensitive academic data. 7. Consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting grade report endpoints. 8. Regularly update Moodle and all related plugins to the latest versions to benefit from security fixes and improvements.