CVE-2025-11345

CVE-2025-11345 is a deserialization vulnerability in the unserialize function of the Test Import component within ILIAS learning management system versions up to 8.23, 9.13, and 10.1. The flaw stems from improper input validation (CWE-20) and deserialization of untrusted data (CWE-502), allowing malicious serialized objects to be processed. It was published on 2025-10-06 and carries a CVSS v3.1 base score of 5.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low complexity.

Exploitation requires low privileges (PR:L), such as an authenticated user with access to the Test Import feature, and user interaction (UI:R) to process a crafted input remotely. Successful attacks can result in low-impact confidentiality, integrity, and availability effects, such as limited data exposure, modification, or denial of service on the targeted system.

Advisories recommend upgrading to ILIAS versions 8.24, 9.14, or 10.2 to resolve the issue, with upgrading the affected component advised as the primary mitigation. Relevant references include the official ILIAS documentation at https://docu.ilias.de/go/blog/15821/882, VulDB entries at https://vuldb.com/?ctiid.327230, https://vuldb.com/?id.327230, and https://vuldb.com/?submit.664891, and an SRLabs blog post at https://srlabs.de/blog/breaking-ilias-part-2-three-to-rce detailing related ILIAS exploitation chains.