CVE-2025-67848
Published: 03 February 2026
Summary
CVE-2025-67848 is a high-severity Improper Handling of Insufficient Permissions or Privileges (CWE-280) vulnerability in Moodle Moodle. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations, directly addressing the LTI handlers' failure to check and block suspended users during authentication.
AC-2 requires proper account management including suspension and disabling of accounts, ensuring suspension status is propagated and enforced across all authentication paths like LTI.
IA-2 establishes identification and authentication for organizational users, requiring mechanisms that verify user status to mitigate bypasses in specialized protocols such as LTI Provider.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing Moodle LTI directly enables exploitation of the web app (T1190) and use of suspended but otherwise valid accounts (T1078).
NVD Description
A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access…
more
to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted.
Deeper analysisAI
CVE-2025-67848, published on 2026-02-03, is an authentication bypass vulnerability in Moodle's Learning Tools Interoperability (LTI) Provider. The flaw stems from LTI authentication handlers failing to enforce a user's suspension status, allowing suspended users to authenticate and gain unauthorized access to the system. This can result in information disclosure or other unauthorized actions by restricted users. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-280.
The vulnerability requires low privileges (PR:L), typically held by suspended users, and can be exploited over the network with low complexity and no user interaction. An attacker with a suspended account can authenticate through the LTI Provider, bypassing suspension checks, to achieve high impacts on confidentiality and integrity, such as accessing sensitive data or performing unauthorized modifications.
Advisories and discussions on mitigation are available from Red Hat at https://access.redhat.com/security/cve/CVE-2025-67848, Red Hat Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2423831, and Moodle forums at https://moodle.org/mod/forum/discuss.php?d=471298.
Details
- CWE(s)