CVE-2022-30600

CRITICAL

Moodle 3.9-3.9.13 and 4.0 - Account Lockout Bypass via Incorrect Failed Login Calculation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-30600. PoCs published by Boonjune.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2022-30600, which allows bypassing the account lockout threshold in Moodle by sending concurrent login requests. The exploit includes both Python and C++ implementations that demonstrate the race condition vulnerability.

Description

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

Exploits (1)

nomisec WORKING POC 3 stars
by Boonjune · poc
https://github.com/Boonjune/POC-CVE-2022-30600

This repository contains a proof-of-concept exploit for CVE-2022-30600, which allows bypassing the account lockout threshold in Moodle by sending concurrent login requests. The exploit includes both Python and C++ implementations that demonstrate the race condition vulnerability.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Moodle 3.9 - 3.9.13, 3.10 - 3.10.10, 3.11 - 3.11.6
No auth needed
Prerequisites: Access to the Moodle login page · Ability to send concurrent HTTP requests
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Vendor Advisory x_refsource_misc
https://moodle.org/mod/forum/discuss.php?d=434582
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2083613

Scores

CVSS v3 9.8
EPSS 0.0488
EPSS Percentile 90.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-682
Status published
Products (7)
fedoraproject/fedora 34
fedoraproject/fedora 35
fedoraproject/fedora 36
moodle/moodle 4.0.0
moodle/moodle 3.9 - 3.9.14
moodle/moodle 4.0 - 4.0.1Packagist
redhat/enterprise_linux 8.0
Published May 18, 2022
Tracked Since Feb 18, 2026