CVE-2025-26525
Published: 24 February 2025
Summary
CVE-2025-26525 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Moodle Moodle. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces input validation and sanitization mechanisms for TeX notation inputs to prevent malicious commands from triggering arbitrary file reads via pdfTeX.
Requires timely remediation of the specific sanitization flaw in Moodle's TeX filter through patching as documented in MDL-84136.
Mandates disabling unnecessary functions like the TeX notation filter or restricting pdfTeX usage to essential capabilities only, eliminating the vulnerable feature.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Moodle web app enables exploitation via T1190; arbitrary file read directly facilitates T1005 for collecting data from local system.
NVD Description
Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).
Deeper analysisAI
CVE-2025-26525 is a vulnerability in Moodle's TeX notation filter caused by insufficient sanitizing, resulting in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed. The issue affects Moodle deployments that have the TeX filter enabled alongside a compatible TeX environment.
An unauthenticated network attacker can exploit this vulnerability with low attack complexity and no user interaction required, as reflected in its CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). Successful exploitation enables high-impact confidentiality violations through arbitrary file reads, mapped to CWE-552 (Files or Directories Accessible to External Parties).
Mitigation details are documented in Moodle's resources, including a git commit search for MDL-84136 at https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136 and a related forum discussion at https://moodle.org/mod/forum/discuss.php?d=466141. The CVE was published on 2025-02-24T20:15:33.103.
Details
- CWE(s)