Three RCEs in Ilias Learning Management System
3 months ago
- #Security
- #RCE
- #ILIAS
- Three previously unknown vulnerabilities enabling remote code execution (RCE) in ILIAS versions 8, 9, and 10 were discovered.
- Unauthenticated RCE (CVE-2025-11344) exploits the course certification import functionality, allowing file uploads and execution via .htaccess manipulation.
- Two authenticated RCE vulnerabilities (CVE-2025-11345 and CVE-2025-11346) involve insecure deserialization, enabling code execution for users with certain permissions.
- The vulnerabilities were responsibly disclosed, and patches have been released in versions 8.25, 9.15, and 10.3.
- Impact includes complete server compromise, with unauthenticated RCE possible if 'Test' or 'Course' objects are exposed in public areas.
- The blog post highlights the complexity of ILIAS and the importance of timely security updates.