CVE-2025-62394 is an authorization vulnerability identified in Moodle versions 4.5.0 and 5.0.0, published on October 23, 2025. The flaw arises because Moodle fails to correctly verify the enrolment status of users when sending quiz notifications. Specifically, suspended or inactive users, who should not receive such communications, may still be sent quiz-related messages. This results in an unintended information disclosure, leaking limited course details to unauthorized users. The vulnerability has a CVSS v3.1 base score of 4.3, indicating medium severity, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This means the vulnerability can be exploited remotely over the network with low attack complexity and requires privileges equivalent to a logged-in user but no user interaction. The impact is limited to confidentiality, as no integrity or availability issues are involved. There are no known exploits in the wild, and no official patches have been linked at the time of publication. The vulnerability is significant for organizations relying on Moodle for e-learning, as it may expose course-related information to users who should not have access, potentially violating privacy policies and data protection regulations.

For European organizations, particularly educational institutions and e-learning providers using Moodle versions 4.5.0 or 5.0.0, this vulnerability poses a risk of unauthorized information disclosure. Although the leaked information is limited to quiz notifications and does not compromise system integrity or availability, it could still reveal sensitive course content or assessment details to suspended or inactive users. This may undermine the confidentiality of educational materials and violate GDPR requirements regarding data protection and user privacy. The impact is more pronounced in large-scale deployments where many users are enrolled, increasing the likelihood of suspended or inactive accounts receiving unintended notifications. Additionally, reputational damage and loss of trust could occur if students or staff perceive the platform as insecure. However, since exploitation requires at least some level of user privilege and no user interaction, the risk is somewhat mitigated compared to more severe vulnerabilities.

Organizations should monitor Moodle security advisories closely and apply official patches as soon as they become available to address CVE-2025-62394. Until patches are released, administrators can implement temporary controls such as reviewing and restricting notification settings to ensure quiz notifications are not sent to suspended or inactive users. Conducting an audit of user enrolment statuses and cleaning up inactive or suspended accounts can reduce the attack surface. Additionally, enabling logging and monitoring of notification delivery can help detect any unauthorized message dissemination. Educating staff and users about the issue and encouraging prompt reporting of suspicious notifications can further mitigate risk. Finally, organizations should consider upgrading to Moodle versions beyond 5.0.0 once patched versions are released, as these will likely include the fix and other security improvements.