CVE-2021-36394

CRITICAL LAB

Moodle - Remote Code Execution in Shibboleth Authentication Plugin

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-36394. PoCs published by dinhbaouit, lavclash75.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2021-36394, a deserialization vulnerability in Moodle. The PoC demonstrates how to achieve RCE by crafting malicious serialized objects and triggering their deserialization via specific HTTP requests.

Description

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

Exploits (2)

nomisec WORKING POC 12 stars

by dinhbaouit · poc

https://github.com/dinhbaouit/CVE-2021-36394

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2021-36394, a deserialization vulnerability in Moodle. The PoC demonstrates how to achieve RCE by crafting malicious serialized objects and triggering their deserialization via specific HTTP requests.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Moodle

Auth required

Prerequisites: Valid MoodleSession cookie · Access to vulnerable Moodle instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 10 stars

by lavclash75 · poc

https://github.com/lavclash75/CVE-2021-36394-Pre-Auth-RCE-in-Moodle

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2021-36394, a pre-authentication RCE vulnerability in Moodle's Shibboleth authentication module. The exploit leverages deserialization to achieve remote code execution by crafting malicious input in the 'sifirst' parameter.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Moodle 3.11.0

No auth needed

Prerequisites: Target running Moodle 3.11.0 with Shibboleth authentication enabled · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory

https://moodle.org/mod/forum/discuss.php?d=424799

Scores

CVSS v3 9.8

EPSS 0.1165

EPSS Percentile 93.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

docker pull n0puple/moodle:3.11.0

https://github.com/dinhbaouit/CVE-2021-36394

https://github.com/lavclash75/CVE-2021-36394-Pre-Auth-RCE-in-Moodle

View in Library

Details

CWE

CWE-94 CWE-384

Status published

Products (2)

moodle/moodle < 3.9.8

moodle/moodle 3.11.0-beta - 3.11.1Packagist

Published Mar 06, 2023

Tracked Since Feb 18, 2026