CVE-2025-62399: 
PHP vulnerability analysis and mitigation

Moodle's mobile and web service authentication endpoints contained a security vulnerability (CVE-2025-62399) that did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks. The vulnerability affects Moodle versions 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20, and earlier unsupported versions. This issue was disclosed on October 23, 2025 (NVD).

The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts). The authentication endpoints for both the mobile client and authwebservice components allowed unlimited or insufficiently throttled password attempts, enabling systematic password guessing attacks against known usernames. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ([Fedora Project](https://bugzilla.redhat.com/showbug.cgi?id=2404432)).

The vulnerability could allow attackers to systematically attempt to guess passwords for known usernames through brute-force attacks, potentially leading to unauthorized access to user accounts. This poses a significant risk to the security of Moodle installations, particularly those with exposed mobile and web service authentication endpoints (NVD).

The vulnerability has been fixed in Moodle versions 5.0.3, 4.5.7, 4.4.11, and 4.1.21. Users are advised to upgrade to these patched versions to protect against brute-force attacks (Fedora Project).