CVE-2025-62400 is a vulnerability identified in Moodle versions 4.1.0, 4.4.0, 4.5.0, and 5.0.0 that results in the exposure of sensitive information related to hidden groups. Specifically, users who have the permission to create calendar events can view the names of groups that are otherwise hidden and restricted from their view. This occurs because the permission check for viewing hidden groups is not properly enforced in the calendar event creation functionality, leading to an unauthorized disclosure of group names. The vulnerability is classified with a CVSS 3.1 base score of 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts confidentiality only. The flaw does not affect the integrity or availability of the system. No known exploits have been reported in the wild, but the information leakage could aid attackers in reconnaissance or social engineering by revealing private group structures. This vulnerability highlights a common issue in access control enforcement where different permission checks are inconsistently applied across features. The lack of patch links suggests that fixes may be pending or available through Moodle's official updates. Organizations using affected Moodle versions should verify their access control configurations and monitor for updates.

The primary impact of CVE-2025-62400 is the unauthorized disclosure of sensitive information, specifically the names of hidden groups within Moodle. This can lead to privacy violations, as group names may reveal confidential organizational structures, project details, or membership information. Such information leakage can facilitate targeted social engineering attacks, phishing campaigns, or insider threats by providing attackers with insights into restricted groups. Although the vulnerability does not affect system integrity or availability, the breach of confidentiality can undermine trust in the platform and potentially violate data protection regulations, especially in educational or governmental institutions. The scope of impact is limited to users who have calendar event creation permissions but not group viewing rights, which may include a broad set of users depending on organizational role assignments. Since Moodle is widely used globally in education and training environments, the exposure of sensitive group information could have reputational and compliance consequences for affected organizations.

To mitigate CVE-2025-62400, organizations should first apply any official patches or updates released by Moodle that address this vulnerability. If patches are not yet available, administrators should review and tighten permission assignments, ensuring that only trusted users have the ability to create calendar events, especially if they should not access hidden group information. Implementing strict role-based access control (RBAC) policies can limit exposure. Additionally, administrators can audit existing calendar event permissions and hidden group configurations to identify and remediate any inconsistencies. Monitoring logs for unusual access patterns related to calendar event creation may help detect exploitation attempts. Educating users about the sensitivity of group information and enforcing least privilege principles will reduce risk. Finally, organizations should stay informed about Moodle security advisories and promptly deploy updates when released.