How ZeroPath Works
Back to Blog

Brief Summary: Moodle CVE-2025-62399 Authentication Brute Force Vulnerability

A brief summary of CVE-2025-62399 affecting Moodle's mobile and web service authentication endpoints, which allowed brute force password attacks due to insufficient restriction of repeated attempts. This post covers technical details, affected versions, and vendor security history based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-23

Brief Summary: Moodle CVE-2025-62399 Authentication Brute Force Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Automated password guessing attacks against Moodle's mobile and web service authentication endpoints could have enabled unauthorized access to sensitive educational data across hundreds of millions of users. This vulnerability, tracked as CVE-2025-62399, affected a wide range of actively supported Moodle versions and required urgent attention from administrators in educational and institutional environments.

About Moodle: Moodle is the world's most widely used open-source learning management system, with over 350 million users in 242 countries. It is the backbone of digital learning for schools, universities, and organizations globally, making any security flaw in its authentication mechanisms highly impactful for the education sector.

Technical Information

CVE-2025-62399 is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The vulnerability was due to insufficient restriction of repeated password attempts on Moodle's mobile and web service authentication endpoints. Specifically, while the standard web login form enforces account lockout and rate limiting (configurable via the admin interface), these protections were not consistently applied to the mobile and REST API authentication code paths.

Attackers could target endpoints such as /login/token.php with automated scripts, submitting a high volume of password guesses for known or enumerated usernames. Because these endpoints did not trigger the same lockout mechanisms as the main login page, brute force attacks could proceed unimpeded until a valid credential was discovered. This gap created a significant attack surface for credential stuffing and password guessing attacks against Moodle deployments with mobile or web services enabled.

No public code snippets or detailed vulnerable code locations have been released. The issue was remediated by ensuring that rate limiting and lockout controls are consistently enforced across all authentication entry points, including those used by mobile apps and web service integrations.

Affected Systems and Versions

The following Moodle versions were affected:

  • Moodle 5.0.0 through 5.0.2
  • Moodle 4.5.0 through 4.5.6
  • Moodle 4.4.0 through 4.4.10
  • Moodle 4.1.0 through 4.1.20
  • All earlier unsupported versions

Vulnerability was present when mobile or web services were enabled. The issue was fixed in:

  • Moodle 5.0.3
  • Moodle 4.5.7
  • Moodle 4.4.11
  • Moodle 4.1.21

Vendor Security History

Moodle has a mature security process and regularly publishes coordinated advisories. Previous notable vulnerabilities include:

  • Authentication bypass in quiz functionality
  • Remote code execution via formula validation flaws
  • Information disclosure in user profile handling

Patch response for critical issues is typically prompt, with fixes released across all supported branches. The project maintains a dedicated security team and public advisory channels.

References

Detect & fix
what others miss

Get startedBook a demo