CVE-2021-21809

CRITICAL

Moodle Authenticated Spelling Binary RCE

Title source: metasploit

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-21809. PoCs published by anldori, Adam Reiser, h00die, including Metasploit module exploits/multi/http/moodle_spelling_path_rce.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-21809, a command execution vulnerability in Moodle's legacy spellchecker plugin. The exploit leverages administrator privileges to modify system paths and execute arbitrary commands via a reverse shell.

Description

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

Exploits (2)

nomisec WORKING POC 1 stars

by anldori · poc

https://github.com/anldori/CVE-2021-21809

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-21809, a command execution vulnerability in Moodle's legacy spellchecker plugin. The exploit leverages administrator privileges to modify system paths and execute arbitrary commands via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Moodle 3.10

Auth required

Prerequisites: Administrator credentials · Network access to the target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Adam Reiser, h00die · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/moodle_spelling_path_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Moodle's spellcheck settings, allowing authenticated administrators to execute arbitrary commands by manipulating the aspell path. It triggers the payload via a spellcheck RPC call.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Moodle 3.0.0+

Auth required

Prerequisites: Authenticated admin access to Moodle · Spellcheck settings accessible

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1277

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/164481/Moodle-SpellChecker-Path-Authenticated-Remote-Command-Execution.html

Scores

CVSS v3 9.1

EPSS 0.7290

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

moodle/moodle 3.10.0

moodle/moodle Packagist

Published Jun 23, 2021

Tracked Since Feb 18, 2026