Moodle: password brute force risk when mobile/web services enabled
Description
Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle's mobile and web service authentication endpoints lacked rate limiting, enabling brute-force password attacks.
Vulnerability
Overview
CVE-2025-62399 describes a missing rate-limiting mechanism in Moodle's mobile and web service authentication endpoints. The official description states that these endpoints "did not sufficiently restrict repeated password attempts," making them susceptible to brute-force attacks [1][2]. This means an attacker could repeatedly submit login requests without being blocked or slowed down, allowing them to guess passwords through automated trials.
Attack
Vector and Prerequisites
The vulnerability is exploitable over the network via the affected authentication endpoints. No special privileges are required to initiate the attack, as the endpoints are publicly accessible for legitimate login purposes. The attacker only needs a valid username to target, and the lack of rate limiting allows for rapid, automated password guessing [1][2].
Impact
Successful exploitation could lead to unauthorized account access. If an attacker guesses a user's password, they could log in as that user and gain access to the Moodle instance, potentially viewing or modifying course content, user data, and other sensitive information depending on the compromised account's permissions [1][2].
Mitigation
The Moodle project has addressed this issue in a commit (e4d02567c922c537086de9f59de073552a3a) that introduces stricter checks in the user_login_webservice function, including verifying the authentication method and ensuring the user is not deleted or suspended [4]. Administrators should update their Moodle installations to the latest patched version to mitigate the vulnerability [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.3 | 5.0.3 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.7 | 4.5.7 |
moodle/moodlePackagist | >= 4.2.0-beta, < 4.4.11 | 4.4.11 |
moodle/moodlePackagist | < 4.1.21 | 4.1.21 |
Affected products
2Patches
1e4d02567c922MDL-86327 auth_webservice: Stricter check on login
1 file changed · +9 −1
public/auth/webservice/auth.php+9 −1 modified@@ -73,7 +73,15 @@ function user_login($username, $password) { function user_login_webservice($username, $password) { global $CFG, $DB; // special web service login - if ($user = $DB->get_record('user', array('username'=>$username, 'mnethostid'=>$CFG->mnet_localhost_id))) { + $user = $DB->get_record('user', [ + 'username' => $username, + 'auth' => 'webservice', + 'deleted' => '0', + 'suspended' => '0', + 'mnethostid' => $CFG->mnet_localhost_id, + ]); + + if ($user) { return validate_internal_user_password($user, $password); } return false;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-m58f-9pvv-8mp2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62399ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-62399ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/moodle/moodle/commit/e4d02567c922c537086de9f59f063ca073552a3aghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.