Breaking ILIAS #2: Three paths towards RCE
We describe three previously unknown vulnerabilities enabling remote code execution (RCE) in versions 8, 9, and 10 of the widely used learning management system ILIAS.
We reported the vulnerabilities through our responsible disclosure process.
With patches now in place, we can share the details here.
Background
In the first blog post of our little ILIAS series, we describe how we uncovered and exploited a stored cross-site scripting (XSS) vulnerability to obtain administrative privileges and RCE in a recent red team engagement.
Today’s walkthrough
We explore similar vulnerabilities, all of which lead to RCE. First, we discuss an unauthenticated RCE exploiting the course certification import functionality, which is often found in public spaces of ILIAS instances. Next, we describe two authenticated remote-code-execution vulnerabilities caused by insecure deserialization. Both can be exploited by authorized users and often do not require full administrative rights.
1. Unauthenticated RCE (CVE-2025-11344)
Prerequisites. Exploitation requires public access to objects which support ILIAS’ certificate functionality. An ILIAS „certificate“ can be issued for achievements such as course completion. To avoid confusion with X.509 certificates, we also use the term „course certificate” in this blog post.
... continue reading