CVE-2025-67851 identifies a formula injection vulnerability in Moodle, a widely used open-source learning management system. The flaw arises because Moodle exports CSV files containing user-supplied data fields without properly escaping or neutralizing formula characters such as '=', '+', '-', or '@' at the beginning of cells. When a CSV file containing such malicious input is opened in spreadsheet applications like Microsoft Excel or LibreOffice Calc, the embedded formulas execute automatically. This can lead to arbitrary code execution within the spreadsheet context, data manipulation, or triggering of unintended operations such as data exfiltration or malware execution via spreadsheet macros. The vulnerability affects multiple Moodle versions from 4.1.0 to 5.1.0. Exploitation requires the attacker to have low privileges (e.g., a user who can input data exported by administrators or other users) and the victim to open the exported CSV file, making user interaction necessary. The CVSS 3.1 score of 6.1 reflects medium severity, considering the low attack complexity but requirement for user action and limited scope to the exported CSV context. No public exploits have been reported yet. The vulnerability impacts data integrity and potentially confidentiality if malicious formulas exfiltrate data. The root cause is improper neutralization of formula elements in exported CSV files, a known vector for formula injection attacks in spreadsheet software.

For European organizations, especially educational institutions and enterprises using Moodle for e-learning and data management, this vulnerability poses a risk of data integrity compromise and potential data leakage. Attackers could inject malicious formulas into exported CSV reports or gradebooks, which when opened by administrators or educators, could execute harmful spreadsheet operations. This could lead to unauthorized data modification, exposure of sensitive information, or triggering of malware payloads via spreadsheet macros. The impact is heightened in environments where exported CSV files are routinely shared or processed without strict validation. Given Moodle's popularity in European academic institutions, the risk extends to student data, grading records, and administrative reports. Although exploitation requires user interaction, the widespread use of spreadsheets for data analysis means the attack surface is significant. The vulnerability could also undermine trust in exported data and disrupt educational workflows.

To mitigate CVE-2025-67851, organizations should apply patches from Moodle as soon as they become available. In the absence of patches, administrators should implement input validation and sanitization to escape or neutralize formula characters ('=', '+', '-', '@') at the start of any data fields exported to CSV. This can be done by prefixing such fields with a single quote or another neutral character to prevent formula execution. Educate users to be cautious when opening CSV files from untrusted sources and consider opening CSV exports in spreadsheet software with formula execution disabled or in a sandboxed environment. Additionally, restrict the ability of low-privilege users to input data that will be exported or reviewed by higher-privilege users. Monitoring exported files for suspicious content and employing endpoint protection to detect malicious spreadsheet activity can further reduce risk. Finally, review and update organizational policies on handling exported data files to include security best practices against formula injection.