Breaking ILIAS #2: Three paths towards RCE
We describe three previously unknown vulnerabilities enabling remote code execution (RCE) in versions 8, 9, and 10 of the widely used learning management system ILIAS.
We reported the vulnerabilities through our responsible disclosure process. With patches now in place, we can share the details here.
Background
In the first blog post of our little ILIAS series, we describe how we uncovered and exploited a stored cross-site scripting (XSS) vulnerability to obtain administrative privileges and RCE in a recent red team engagement.
Today’s walkthrough
We explore similar vulnerabilities, all of which lead to RCE. First, we discuss an unauthenticated RCE exploiting the course certification import functionality, which is often found in public spaces of ILIAS instances. Next, we describe two authenticated remote-code-execution vulnerabilities caused by insecure deserialization. Both can be exploited by authorized users and often do not require full administrative rights.
1. Unauthenticated RCE (CVE-2025-11344)
Prerequisites. Exploitation requires public access to objects which support ILIAS’ certificate functionality. An ILIAS „certificate“ can be issued for achievements such as course completion. To avoid confusion with X.509 certificates, we also use the term „course certificate” in this blog post. The following object types are affected:
- Test (cmdNode:
qx) - Course (cmdNode:
lv)
These objects, when placed in the public section of ILIAS, allow any user with read access (including unauthenticated guests) to interact with the certification editor functionality.
The „Exercise” object shared this vulnerability in the tested v10-beta3, but it was since patched by enforcing a stricter access control in this commit: $this->checkPermission("write")
However, the stable release only enforces $this->checkPermission("read") for other object types. Read permissions are typically granted in public contexts.