CVE-2025-67853
Published: 03 February 2026
Summary
CVE-2025-67853 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Moodle Moodle. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2025-67853 is a vulnerability in Moodle stemming from a lack of proper rate limiting in the confirmation email service. This flaw enables remote attackers to more easily enumerate or guess user credentials, thereby facilitating brute-force attacks against user accounts. The issue is classified under CWE-307 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). It was published on 2026-02-03.
The vulnerability can be exploited by any remote attacker requiring no privileges, user interaction, or special conditions beyond network access. Attackers can leverage the absence of rate limiting to perform efficient credential guessing or enumeration via the confirmation email service, resulting in high confidentiality impact through unauthorized access to user accounts.
Red Hat provides details on mitigation in its security advisory at https://access.redhat.com/security/cve/CVE-2025-67853, with an associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2423847.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206748
Vulnerability details
A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of rate limiting directly enables brute-force credential guessing (T1110) against the public-facing Moodle confirmation service (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements rate limiting and denial-of-service protections to prevent attackers from exploiting the lack of rate limiting in Moodle's confirmation email service for credential enumeration and brute-force attacks.
Enforces limits on consecutive unsuccessful logon attempts to mitigate brute-force attacks against user accounts facilitated by the vulnerability.
Remediates the specific software flaw in Moodle by applying patches or updates that address the absence of proper rate limiting in the confirmation email service.