CVE-2025-3645 is a medium-severity vulnerability identified in Moodle versions 4.1.0, 4.3.0, 4.4.0, and 4.5.0. The flaw arises from insufficient authorization checks within a messaging web service component of Moodle, an open-source learning management system widely used in educational institutions. Specifically, the vulnerability allows authenticated users with limited privileges (requiring some level of authentication but no elevated privileges) to access information about other users, including their names and online statuses, without proper authorization. This occurs because the system fails to enforce adequate capability checks before disclosing this data. The vulnerability does not allow modification of data or disruption of service, nor does it require user interaction beyond authentication. The CVSS v3.1 base score is 4.3, reflecting a low complexity attack vector (network), low attack complexity, requiring privileges but no user interaction, and limited confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild, and no patches or vendor advisories are linked at this time. The issue primarily concerns confidentiality leakage of user presence information, which could be leveraged for reconnaissance or social engineering in targeted attacks.

For European organizations, particularly educational institutions and universities that rely heavily on Moodle for course delivery and communication, this vulnerability could lead to unauthorized disclosure of user presence and identity information. While the direct impact on system integrity and availability is negligible, the leakage of user online status and names can facilitate targeted phishing, social engineering, or privacy violations, especially in environments handling sensitive student or staff data. This could undermine trust in the platform and potentially violate data protection regulations such as GDPR if personal data is exposed without consent. The impact is more pronounced in large institutions with many users, where aggregated presence information could be used to profile user behavior or identify active users for further attacks. However, since exploitation requires authentication, the risk is somewhat mitigated by existing access controls and user management policies.

Organizations should promptly verify their Moodle version and plan to upgrade to a patched release once available. In the interim, administrators can mitigate risk by tightening user role permissions to restrict access to messaging web services, ensuring that only trusted users have messaging capabilities. Implementing network-level access controls such as VPNs or IP whitelisting for Moodle access can reduce exposure. Monitoring user activity logs for unusual access patterns to messaging endpoints may help detect exploitation attempts. Additionally, organizations should review and update privacy policies and user awareness training to highlight the risks of information disclosure and encourage cautious behavior regarding messaging features. Where possible, disabling or restricting the vulnerable messaging web service until a patch is available can be considered, especially in high-risk environments. Finally, maintaining up-to-date backups and incident response plans will help contain any potential misuse stemming from this vulnerability.