CVE-2025-3640
Published: 25 April 2025
Summary
CVE-2025-3640 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Moodle Moodle. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Discovery (T1087); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12522
Vulnerability details
A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission…
more
to access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthorized access to other users' full names and profile image URLs in Moodle, facilitating account discovery (T1087).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.