Important Security Announcement for Moodle Users

20 August 2025 by Catalyst

Since August 14, Catalyst IT, working with Moodle HQ, has become aware of a targeted malicious campaign where a network of bots is attempting to log in to public-facing Moodle instances using a known collection of leaked user credentials (email/username and passwords).

In some cases, the bot network has been able to successfully login to Moodle instances (due to the login credentials being valid). And once successfully authenticated, the bot net tried to install a malicious plugin.

For Catalyst clients, there is no risk that the plugin was able to be installed as our Moodle cloud architecture prevents (at an infrastructure level) any change to application code from the web interface.

Still, it is not good when malicious parties are able to gain access to any web application. At any level. And importantly, in this case, legitimate login and password credentials were being used.

Is this a vulnerability in Moodle itself?

No, this is not a vulnerability in Moodle / Moodle code or partner systems.

This is a large scale attempt to access Moodle sites globally using external information breaches that include login and password credentials that the malicious party hopes have been re-used across systems (that include Moodle). This is a problem that is common to all systems that require authentication on the internet. Any login and password reuse can put all systems that share those login credentials at risk.

Almost all corporate and government security compliance training specifies that login and password credentials should never be shared across systems, but there is no completely effective way of enforcing this in practice. This recent activity highlights the importance of the utmost vigilance in password policy compliance.

Mitigating Risks

Having any web application on the modern-day internet means dealing with malicious authentication attempts. This is nothing new.

As always, security should always involve a multi-layered approach to your IT security system.

Catalyst recommends to all our clients that Enterprise web-facing applications (including Moodle) should depend on more than just Single Factor Authentication (login and password only) in order to authenticate (log in). Once again, this is in line with current industry best practices around application security.

If you are not using a Single-Sign-On (SSO) identity provider, we highly recommend that you work towards Moodle’s native multi-factor authentication (MFA) support for all Moodle users. This is available in Moodle core in more recent versions, and is possible without any code releases or patches.

Catalyst IT is working with our clients at present to support them rolling out this change.

Read more: Understanding and Reducing Cybersecurity Risks

Trusting Catalyst with your Moodle

Data security is a top priority at Catalyst IT. With 25 years of experience working with higher education, enterprise-level, and government organisations globally, we go beyond the regular compliance requirements where possible. Our 24/7 Follow the Sun Support model allows us to deal with emergencies quickly and efficiently.

Being a Certified and Premium Moodle Partner with our vendors and having a dedicated security team in-house also provides our team and our clients with assurance and peace of mind.

Have questions?

Contact our team

Catalyst IT is ISO 27001 certified.

ISO/IEC 27001 Badge