Cyber Resilience

CVE-2025-11344

Medium

Published: 06 October 2025

Published
06 October 2025
Modified
23 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 54.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11344 is a medium-severity Injection (CWE-74) vulnerability in Ilias Ilias. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-11344 is a remote code execution vulnerability affecting ILIAS, an open-source learning management system, in versions up to 8.23, 9.13, and 10.1. The issue resides in an unknown functionality of the Certificate Import Handler component, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-94 (Improper Control of Generation of Code). It was published on 2025-10-06 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L), but it requires user interaction (UI:R), such as tricking a legitimate user into importing a malicious certificate. Successful exploitation enables remote code execution in the context of the affected component, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) with no scope change (S:U).

Advisories recommend upgrading to ILIAS versions 8.24, 9.14, or 10.2 to address the issue. Detailed information is available in the official ILIAS documentation at https://docu.ilias.de/go/blog/15821/882 and security reports from VulDB (https://vuldb.com/?ctiid.327229, https://vuldb.com/?id.327229, https://vuldb.com/?submit.664889) as well as SRLabs analysis at https://srlabs.de/blog/breaking-ilias-part-2-three-to-rce.

EU & UK References

Vulnerability details

A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version…

more

8.24, 9.14 and 10.2 addresses this issue. It is recommended to upgrade the affected component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote code execution via code injection (CWE-94) in the public-facing ILIAS certificate import handler, enabling exploitation of public-facing applications (T1190) and command/scripting interpreter abuse (T1059 as cited in advisory).

CVEs Like This One

CVE-2025-11345Same product: Ilias Ilias
CVE-2026-7703Shared CWE-74, CWE-94
CVE-2026-5739Shared CWE-74, CWE-94
CVE-2024-54756Shared CWE-94
CVE-2024-21760Shared CWE-94
CVE-2026-41258Shared CWE-94
CVE-2026-6543Shared CWE-94
CVE-2025-26936Shared CWE-94
CVE-2026-24937Shared CWE-94
CVE-2025-22906Shared CWE-94

Affected Assets

ilias
ilias
10.1, 8.23, 9.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CWE-74 SQL injection and CWE-94 code generation flaws by enforcing input validation on certificate imports to prevent malicious payloads from being processed.

prevent

Ensures timely flaw remediation through patching or upgrading to ILIAS versions 8.24, 9.14, or 10.2 as recommended to eliminate the RCE vulnerability.

detect

Vulnerability scanning identifies SQL injection and code execution flaws in the Certificate Import Handler, enabling proactive remediation before exploitation.

References