CVE-2025-62398: 
PHP vulnerability analysis and mitigation

A serious authentication bypass vulnerability (CVE-2025-62398) was discovered in Moodle's multi-factor authentication (MFA) system. The vulnerability affects Moodle versions 5.0.0-beta to 5.0.2, 4.5.0-beta to 4.5.6, and 4.4.0-beta to 4.4.10, and was disclosed on October 23, 2025. The flaw allows attackers with valid credentials to bypass MFA requirements during the web services login flow (Miggo, NVD).

The vulnerability exists in the tool_mfa\manager::should_require_mfa function within public/admin/tool/mfa/classes/manager.php. The security flaw stems from improper handling of AJAX and Web Service requests during the MFA process. The vulnerability has a CVSS 3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The issue is classified as CWE-287 (Improper Authentication) (Miggo, NVD).

The vulnerability potentially compromises user accounts by allowing attackers to bypass the second-factor authentication requirement. This could lead to unauthorized access to user accounts where attackers have obtained valid username and password combinations (Bugzilla, NVD).

The vulnerability has been patched in Moodle versions 5.0.3, 4.5.7, and 4.4.11. The fix involves removing a conditional check that allowed AJAX and WS requests to proceed without completing MFA when a session was marked as mfapending. Organizations are advised to upgrade to the patched versions (Miggo, [Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=2404431)).