CVE-2024-43425

HIGH NUCLEI

Moodle Remote Code Execution (CVE-2024-43425)

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 9 public exploits for CVE-2024-43425. PoCs published by Likhith Appalaneni, RedTeamPentesting, adminlove520, including Metasploit module exploits/linux/http/moodle_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an authenticated RCE vulnerability in Moodle by uploading a malicious calculated question with a payload that executes system commands via PHP object injection. The exploit chains multiple steps to achieve command execution.

Description

A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.

Exploits (9)

exploitdb WORKING POC
by Likhith Appalaneni · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52350

This exploit leverages an authenticated RCE vulnerability in Moodle by uploading a malicious calculated question with a payload that executes system commands via PHP object injection. The exploit chains multiple steps to achieve command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle 4.4.0 (and other affected versions)
Auth required
Prerequisites: Valid Moodle credentials · Access to a quiz with edit permissions · Network access to the target Moodle instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 19 stars
by RedTeamPentesting · poc
https://github.com/RedTeamPentesting/moodle-rce-calculatedquestions

This repository contains functional exploit code demonstrating a remote code execution vulnerability in Moodle's calculated questions feature (CVE-2024-43425). It includes scripts to test validation logic and generate payloads for arbitrary PHP function execution via variable functions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle 4.4.1
Auth required
Prerequisites: Access to Moodle with teacher/editor privileges · Calculated question feature enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2024/CVE-2024-43425

The repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and functional code.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: TOTOLINK LR350, TOTOLINK T6, Fortinet SSL VPN
No auth needed
Prerequisites: network access to the target device
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 2 stars
by kazuya256 · poc
https://github.com/kazuya256/Moodle-authenticated-RCE

This repository contains a functional exploit for CVE-2024-43425, an authenticated RCE vulnerability in Moodle. The exploit leverages insecure question bank editing functionality to execute arbitrary commands on the server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle 4.1 to 4.4.1
Auth required
Prerequisites: Valid Moodle credentials · Access to a vulnerable Moodle instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Snizi · poc
https://github.com/Snizi/Moodle-CVE-2024-43425-Exploit

This repository contains a functional Python exploit for CVE-2024-43425, targeting a remote code execution (RCE) vulnerability in Moodle. The exploit automates authentication, session key extraction, and payload delivery via crafted question creation in Moodle's quiz module.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle (version not specified)
Auth required
Prerequisites: Valid Moodle credentials · Access to Moodle's question bank · Python 3.6+ with requests library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by wvverez · poc
https://github.com/wvverez/CVE-2024-43425

This repository provides a Docker-based setup to replicate a vulnerable Moodle environment for CVE-2024-43425. It includes instructions to deploy a MariaDB container and a Moodle instance, likely to demonstrate an exploit in a controlled environment.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Moodle (version not specified)
No auth needed
Prerequisites: Docker installed · Docker network setup · MariaDB and Moodle images
devstral-2 · analyzed Mar 06, 2026 Full analysis →
nomisec WRITEUP
by Tnot123 · poc
https://github.com/Tnot123/cve-2024-43425

This repository provides a detailed technical analysis of CVE-2024-43425, a vulnerability in Moodle's calculated question type that allows arbitrary command execution. The writeup includes root cause analysis, exploitation steps, and proof-of-concept details demonstrating how attackers can bypass input validation to achieve RCE.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle versions 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and unsupported earlier versions
Auth required
Prerequisites: Ability to create or modify calculated questions in a Moodle course · Knowledge of the target course ID
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by aninfosec · poc
https://github.com/aninfosec/CVE-2024-43425-Poc

This repository contains a functional exploit for CVE-2024-43425, which leverages improper sanitization in Moodle's calculated question feature to achieve remote code execution. The exploit automates the process of logging in, uploading a malicious question, and triggering the payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle (version not specified)
Auth required
Prerequisites: Valid Moodle credentials with teacher/admin privileges · Access to quiz editing interface · Known courseid and cmid (quiz module ID)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Michael Heinzl, RedTeam Pentesting GmbH · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/moodle_rce.rb

This Metasploit module exploits a command injection vulnerability in Moodle (CVE-2024-43425) to achieve remote code execution. It authenticates as a user with quiz question creation privileges and injects a command via a crafted question submission.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle (4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and earlier unsupported versions)
Auth required
Prerequisites: Valid Moodle credentials with quiz question creation privileges · Course ID and course module ID
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Moodle - Remote Code Execution
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan: title:"Moodle"

References (2)

Core 2
Core References
Permissions Required issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2304253

Scores

CVSS v3 8.1
EPSS 0.8892
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (2)
moodle/moodle < 4.1.12
moodle/moodle 0 - 4.1.12Packagist
Published Nov 07, 2024
Tracked Since Feb 18, 2026