CVE-2025-67847: Class Is Cancelled: RCE in Moodle's Restore Interface (CVE-2025-67847)

#security #cve #cybersecurity

Class Is Cancelled: RCE in Moodle's Restore Interface (CVE-2025-67847)

Vulnerability ID: CVE-2025-67847
CVSS Score: 8.8
Published: 2026-01-23

A critical Remote Code Execution vulnerability in Moodle's core backup/restore functionality allows authenticated users (like Teachers) to compromise the entire server by uploading malicious course archives.

TL;DR

Moodle's course restore feature blindly trusts parts of the backup archive structure. An attacker with 'Teacher' privileges can upload a crafted .mbz backup file containing malicious payloads. When Moodle parses this file to restore the course, it triggers arbitrary code execution, handing the attacker a shell with web server privileges.

Technical Details

CWE ID: CWE-94 (Code Injection)
CVSS Score: 8.8 (High)
Attack Vector: Network (Authenticated)
Attack Complexity: Low
Privileges Required: Low (e.g., Teacher)
Impact: Confidentiality, Integrity, Availability (High)

Affected Systems

Moodle LMS 5.1.0
Moodle LMS 5.0.0 - 5.0.3
Moodle LMS 4.5.0 - 4.5.7
Moodle LMS 4.4.0 - 4.4.11
Moodle LMS 4.1.0 - 4.1.21
Moodle: = 5.1.0 (Fixed in: 5.1.1)
Moodle: >= 5.0.0, <= 5.0.3 (Fixed in: 5.0.4)
Moodle: >= 4.5.0, <= 4.5.7 (Fixed in: 4.5.8)
Moodle: >= 4.1.0, <= 4.1.21 (Fixed in: 4.1.22)

Mitigation Strategies

Role-Based Access Control (RBAC) Hardening
Input Validation & Sanitization
Patch Management

Remediation Steps:

Upgrade Moodle to version 5.1.1, 5.0.4, 4.5.8, 4.4.12, or 4.1.22 immediately.
Audit the 'Teacher' role and remove 'moodle/restore:restorecourse' capability where not strictly necessary.
Enable Multi-Factor Authentication (MFA) for all users with restore privileges to prevent credential reuse.
Review web server logs for suspicious uploads to the restore interface.