CVE-2025-32045 is a vulnerability identified in Moodle, a widely used open-source learning management system (LMS). The flaw arises from missing authorization checks in certain grade report functionalities. Specifically, the vulnerability allows users who do not possess the necessary permissions or capabilities to access grades that are intended to be hidden. This occurs due to insufficient capability verification within the affected Moodle versions 4.1.17, 4.3.11, 4.4.7, and 4.5.3. The issue is categorized as a missing authorization vulnerability, meaning that the system fails to properly enforce access control policies, thereby exposing sensitive academic data. Although no known exploits are currently reported in the wild, the nature of the vulnerability could allow unauthorized disclosure of confidential student performance data. The flaw does not require user interaction beyond normal use of the Moodle platform and does not appear to require authentication beyond the user’s existing access level, which may be a low-privilege user such as a student or a non-privileged staff member. The vulnerability impacts confidentiality primarily, as it exposes hidden grades, but does not directly affect system integrity or availability. The vulnerability was published on April 25, 2025, and has been enriched by CISA, indicating recognition by cybersecurity authorities. No patch links are provided in the information, suggesting that users should monitor official Moodle channels for updates or apply recommended security configurations to mitigate risk.

For European organizations, especially educational institutions such as universities, colleges, and schools that rely on Moodle for course management and grading, this vulnerability poses a significant risk to the confidentiality of student data. Unauthorized access to hidden grades can lead to privacy violations, potential breaches of data protection regulations such as the GDPR, and reputational damage. The exposure of sensitive academic records could undermine trust in the institution’s ability to safeguard personal information. Additionally, unauthorized grade disclosure could facilitate academic dishonesty or manipulation, affecting the integrity of educational outcomes. While the vulnerability does not directly compromise system availability or integrity, the breach of confidentiality alone can have serious legal and operational consequences. Given Moodle's widespread adoption across Europe, the impact could be broad, affecting both public and private educational entities. Institutions may face regulatory scrutiny and potential fines if they fail to protect student data adequately.

Organizations should immediately verify their Moodle installations to determine if they are running any of the affected versions (4.1.17, 4.3.11, 4.4.7, 4.5.3). In the absence of an official patch, administrators should restrict access to grade report functionalities to only trusted roles with verified permissions. This can be achieved by reviewing and tightening role capabilities and permissions within Moodle’s administration settings, ensuring that only authorized staff members can view hidden grades. Monitoring access logs for unusual or unauthorized access attempts to grade reports is recommended. Institutions should also implement strict user role management policies, regularly auditing user privileges to prevent privilege escalation or misuse. Where possible, upgrading to a newer, patched version of Moodle once available is critical. Additionally, organizations should educate users about the sensitivity of grade information and enforce policies that limit data sharing. Finally, maintaining compliance with GDPR and other relevant data protection frameworks by documenting mitigation efforts and incident response plans will help reduce regulatory risks.