Moderate severityOSV Advisory· Published Oct 23, 2025· Updated Oct 24, 2025

Moodle: possible to bypass mfa

CVE-2025-62398

Description

A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A logic flaw in Moodle's MFA plugin allowed authenticated users to bypass multi-factor authentication when using the 'Login as' feature or during admin setup.

The vulnerability resides in the should_require_mfa function of Moodle's multi-factor authentication (MFA) plugin (tool_mfa). Due to an incorrect order of condition checks, certain scenarios that should trigger MFA were evaluated after other conditions that could return a "no redirect" result, effectively bypassing MFA enforcement [3].

An attacker with valid credentials could exploit this by either using the "Login as" functionality (where an admin impersonates another user) or by accessing the system while an admin setup is pending. In these cases, the MFA requirement was skipped because the corresponding checks were placed after other early-return conditions [3].

Successful exploitation allows an attacker to bypass the second factor of authentication, gaining unauthorized access to user accounts with only the first factor (password). This could lead to account takeover, data exposure, or further privilege escalation depending on the target account's permissions [2].

The issue was fixed in Moodle by reordering the condition checks in the should_require_mfa function, moving the "Login as" and admin setup checks earlier in the logic. Administrators should update to the patched version [3][4].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	>= 5.0.0-beta, < 5.0.3	5.0.3
moodle/moodlePackagist	>= 4.5.0-beta, < 4.5.7	4.5.7
moodle/moodlePackagist	>= 4.4.0-beta, < 4.4.11	4.4.11

Affected products

Moodle/MoodleOSV
Range: v4.4.0, v4.4.1, v4.4.10, …

Patches

67005f8b2098

MDL-85546 tool_mfa: Improve handling of require MFA conditions

https://github.com/moodle/moodleraortegarSep 19, 2025via ghsa

commit

1 file changed · +16 −22

public/admin/tool/mfa/classes/manager.php+16 −22 modified

@@ -50,7 +50,7 @@ class manager {
         ],
         'tool_mfa' => [
             'guidance',
-        ]
+        ],
     ];
 
     /**
@@ -441,6 +441,21 @@ public static function should_require_mfa(string|\moodle_url $url, bool|null $pr
             $url = new \moodle_url($url);
         }
 
+        // Admin not setup.
+        if (!empty($CFG->adminsetuppending)) {
+            return self::NO_REDIRECT;
+        }
+
+        // Honor prevent_redirect.
+        if ($preventredirect) {
+            return self::NO_REDIRECT;
+        }
+
+        // Login as.
+        if (\core\session\manager::is_loggedinas()) {
+            return self::NO_REDIRECT;
+        }
+
         // Check for pluginfile.php urls.
         $pluginfileurl = new \moodle_url('/pluginfile.php');
         if ($url->compare($pluginfileurl)) {
@@ -485,22 +500,6 @@ public static function should_require_mfa(string|\moodle_url $url, bool|null $pr
             }
         }
 
-        // Admin not setup.
-        if (!empty($CFG->adminsetuppending)) {
-            return self::NO_REDIRECT;
-        }
-
-        // Initial installation.
-        // We get this for free from get_plugins_with_function.
-
-        // Upgrade check.
-        // We get this for free from get_plugins_with_function.
-
-        // Honor prevent_redirect.
-        if ($preventredirect) {
-            return self::NO_REDIRECT;
-        }
-
         // User not properly setup.
         if (user_not_fully_set_up($USER)) {
             return self::NO_REDIRECT;
@@ -516,11 +515,6 @@ public static function should_require_mfa(string|\moodle_url $url, bool|null $pr
             return self::NO_REDIRECT;
         }
 
-        // Login as.
-        if (\core\session\manager::is_loggedinas()) {
-            return self::NO_REDIRECT;
-        }
-
         // Site policy.
         if (isset($USER->policyagreed) && !$USER->policyagreed) {
             $manager = new \core_privacy\local\sitepolicy\manager();

a2078f781ae0

MDL-86334 tool_mfa: Improve multi-factor authentication validation.

https://github.com/moodle/moodleraortegarSep 5, 2025via ghsa

commit

1 file changed · +1 −4

public/admin/tool/mfa/classes/manager.php+1 −4 modified

@@ -532,11 +532,8 @@ public static function should_require_mfa(string|\moodle_url $url, bool|null $pr
         }
 
         // WS/AJAX check.
+        // Prevents any potential bypassing of multi-factor authentication.
         if (WS_SERVER || AJAX_SCRIPT) {
-            if (isset($SESSION->mfa_pending) && !empty($SESSION->mfa_pending)) {
-                // Allow AJAX and WS, but never from auth.php.
-                return self::NO_REDIRECT;
-            }
             return self::REDIRECT_EXCEPTION;
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-25wf-7x6c-wmpfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62398ghsaADVISORY
access.redhat.com/security/cve/CVE-2025-62398ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/moodle/moodle/commit/67005f8b2098096f4c7ca4f78ab9ce69415d703bghsaWEB
github.com/moodle/moodle/commit/a2078f781ae065ca1f781bd159c7615c84afcaa5ghsaWEB
moodle.org/mod/forum/discuss.phpghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000