Cyber Resilience

CVE-2025-67847

HighRCE

Published: 23 January 2026

Published
23 January 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 40.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-67847 is a high-severity Code Injection (CWE-94) vulnerability in Moodle Moodle. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67847 is a code injection vulnerability (CWE-94) in Moodle, published on 2026-01-23, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw stems from insufficient validation of input in the restore interface, allowing unintended interpretation by core restore routines. This enables an attacker with access to the restore interface to trigger server-side execution of arbitrary code, potentially leading to full compromise of the Moodle application.

An attacker requires low privileges (PR:L) and network access to exploit this vulnerability with low complexity and no user interaction. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, allowing arbitrary code execution on the server hosting Moodle. This could enable attackers to escalate privileges, steal data, modify content, or disrupt services within the affected Moodle instance.

Further details on mitigation, including patches and workarounds, are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2025-67847.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful…

more

exploitation could result in a full compromise of the Moodle application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Code injection in public-facing Moodle restore interface directly enables remote arbitrary code execution (T1190) and subsequent command/script interpreter abuse (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26045Same product: Moodle Moodle
CVE-2025-26533Same product: Moodle Moodle
CVE-2025-26530Same product: Moodle Moodle
CVE-2025-67848Same product: Moodle Moodle
CVE-2025-67853Same product: Moodle Moodle
CVE-2026-26046Same product: Moodle Moodle
CVE-2021-47857Same product: Moodle Moodle
CVE-2025-26525Same product: Moodle Moodle
CVE-2025-26529Same product: Moodle Moodle
CVE-2025-67850Same product: Moodle Moodle

Affected Assets

moodle
moodle
5.1.0 · ≤ 4.1.22 · 4.4.0 — 4.4.12 · 4.5.0 — 4.5.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of information inputs, directly mitigating the insufficient validation of restore interface inputs that enables arbitrary code execution.

prevent

Mandates identification, reporting, and correction of system flaws like this code injection vulnerability, ensuring patches are applied to prevent exploitation.

prevent

Enforces least privilege to restrict access to the vulnerable restore interface, reducing the attack surface for low-privilege users.

References