Cyber Resilience

CVE-2025-67851

Medium

Published: 03 February 2026

Published
03 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L
EPSS Score 0.0006 19.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67851 is a medium-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Moodle Moodle. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-67851 is a formula injection vulnerability in Moodle, where data fields are exported without proper escaping. This flaw allows malicious data to be injected, which, when the exported file is opened in a spreadsheet application, can trigger the execution of arbitrary formulas. The vulnerability is rated with a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L) and is associated with CWE-1236. It was published on 2026-02-03.

A remote attacker with low privileges can exploit this vulnerability by submitting malicious data into Moodle. Exploitation requires local access to export the data and subsequent user interaction to open the exported file in a spreadsheet program. Successful exploitation enables arbitrary formula execution within the spreadsheet, resulting in low confidentiality impact, high integrity impact through compromised data integrity, and low availability impact from unintended operations.

Mitigation details and patches are documented in advisories available at https://access.redhat.com/security/cve/CVE-2025-67851, https://bugzilla.redhat.com/show_bug.cgi?id=2423841, and https://moodle.org/mod/forum/discuss.php?d=471301.

EU & UK References

Vulnerability details

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas…

more

to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

Formula injection in exported Moodle data creates malicious files (T1204.002) whose opening triggers arbitrary command execution via spreadsheet formula evaluation (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47857Same product: Moodle Moodle
CVE-2026-26046Same product: Moodle Moodle
CVE-2025-67853Same product: Moodle Moodle
CVE-2025-67856Same product: Moodle Moodle
CVE-2026-26045Same product: Moodle Moodle
CVE-2025-67850Same product: Moodle Moodle
CVE-2025-26530Same product: Moodle Moodle
CVE-2025-26533Same product: Moodle Moodle
CVE-2025-26525Same product: Moodle Moodle
CVE-2025-26529Same product: Moodle Moodle

Affected Assets

moodle
moodle
5.1.0 · ≤ 4.1.22 · 4.4.0 — 4.4.11 · 4.5.0 — 4.5.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of data fields before export so that formula metacharacters are rejected or escaped, directly blocking the injection vector in CVE-2025-67851.

prevent

Mandates filtering and encoding of organizational information on output (export), ensuring spreadsheet formulas cannot be injected unescaped as described in the CVE.

detect

Requires verification of information integrity on exported artifacts, enabling detection of unauthorized formula content introduced by the Moodle flaw.

References