CVE-2025-11344
Published: 06 October 2025
Summary
CVE-2025-11344 is a medium-severity Injection (CWE-74) vulnerability in Ilias Ilias. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CWE-74 SQL injection and CWE-94 code generation flaws by enforcing input validation on certificate imports to prevent malicious payloads from being processed.
Ensures timely flaw remediation through patching or upgrading to ILIAS versions 8.24, 9.14, or 10.2 as recommended to eliminate the RCE vulnerability.
Vulnerability scanning identifies SQL injection and code execution flaws in the Certificate Import Handler, enabling proactive remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote code execution via code injection (CWE-94) in the public-facing ILIAS certificate import handler, enabling exploitation of public-facing applications (T1190) and command/scripting interpreter abuse (T1059 as cited in advisory).
NVD Description
A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version…
more
8.24, 9.14 and 10.2 addresses this issue. It is recommended to upgrade the affected component.
Deeper analysisAI
CVE-2025-11344 is a remote code execution vulnerability affecting ILIAS, an open-source learning management system, in versions up to 8.23, 9.13, and 10.1. The issue resides in an unknown functionality of the Certificate Import Handler component, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-94 (Improper Control of Generation of Code). It was published on 2025-10-06 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L), but it requires user interaction (UI:R), such as tricking a legitimate user into importing a malicious certificate. Successful exploitation enables remote code execution in the context of the affected component, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) with no scope change (S:U).
Advisories recommend upgrading to ILIAS versions 8.24, 9.14, or 10.2 to address the issue. Detailed information is available in the official ILIAS documentation at https://docu.ilias.de/go/blog/15821/882 and security reports from VulDB (https://vuldb.com/?ctiid.327229, https://vuldb.com/?id.327229, https://vuldb.com/?submit.664889) as well as SRLabs analysis at https://srlabs.de/blog/breaking-ilias-part-2-three-to-rce.
Details
- CWE(s)