ctipilot.ch

ILIAS LMS — nine fixes shipped 2026-05-27; critical access-control gaps (CVSS 9.8 + 9.3); NCSC.ch flags SOAP interface as primary unauthenticated attack surface

vulnerability-trend · item:ilias-lms-nine-fixes-2026-05-27-tileimageupload-unauth-write-soap-access-bypass-multiple-sqli

Coverage timeline
1
first 2026-05-28 → last 2026-05-28
Briefs
1
1 distinct
Sources cited
3
3 hosts
Sections touched
1
active_threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-28CTI Daily Brief — 2026-05-28
    active_threatsFirst coverage. ILIAS Security Group shipped 9-issue update on 2026-05-27 across 9.20/10.8/11.1 branches; NCSC-CH advisory same day. CRITICAL: MantisBT 0047787 (CVSS 4.0: 9.8 — unauth TileImageUploadHandler write) + 0047691 (CVSS 4.0: 9.3 — MyStaff post-auth SQLi). NCSC-CH mitigation: disable SOAP. CH/DE/AT public-sector LMS estate dominant.

Where this entity is cited

  • active_threats1

Source distribution

  • docu.ilias.de1 (33%)
  • security-hub.ncsc.admin.ch1 (33%)
  • wid.cert-bund.de1 (33%)

All cited sources (3)

Items in briefs about ILIAS LMS — nine fixes shipped 2026-05-27; critical access-control gaps (CVSS 9.8 + 9.3); NCSC.ch flags SOAP interface as primary unauthenticated attack surface (1)

ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface

From CTI Daily Brief — 2026-05-28 · published 2026-05-28 · view item permalink →

The ILIAS Security Group released a coordinated nine-issue security update on 2026-05-27 covering the open-source Learning Management System that dominates the CH/DE/AT public-sector e-learning estate: Swiss federal training portals, NATO DEEP ADL, and the majority of Swiss and German university LMS deployments (ILIAS Security Blog, 2026-05-27; NCSC-CH, 2026-05-27; BSI CERT-Bund WID-SEC-2026-1689, 2026-05-27). CVE identifiers were not assigned in the BSI CSAF document; the vendor uses internal MantisBT IDs.

Two issues are rated critical by the vendor. MantisBT 0047787 (CVSS 4.0: 9.8) is a missing access-control check in TileImageUploadHandler; an attacker with network access to the upload endpoint can write arbitrary files, bypassing authentication entirely — the textbook prerequisite for arbitrary file write to RCE on a PHP application. MantisBT 0047691 (CVSS 4.0: 9.3) is a post-auth SQL injection in the MyStaff module. Companion high-severity findings: MantisBT 0047581 (CVSS 8.7) — broken access-control in the SOAP interface permitting unauthenticated SOAP calls; MantisBT 0047472 (CVSS 7.1) — SQL injection reachable via the SOAP API; MantisBT 0047770 (CVSS 8.5) and 0047778 (CVSS 8.1) — sort-field and SCORM2004-module SQLi paths; MantisBT 0047258 — unauthorized SOAP function calls.

Why it matters to us: ILIAS is mission-critical for Swiss federal civil-servant training and Swiss/DACH academic certification — a compromise of the LMS exposes course content, learner PII, certification records, and any HR/IDP integration on the SOAP interface. NCSC.ch's recommended interim mitigation is to disable the SOAP interface on any deployment that does not require it for enterprise HR / SIS integration. Patched branches: 9.20, 10.8, 11.1. Detection concepts: monitor web-server access logs for POSTs to TileImageUploadHandler without a valid session cookie; flag any request to /ilias.php?baseClass=ilSOAPExplorer or the SOAP WSDL endpoint from non-internal source IPs. Hardening: AppArmor/SELinux profile constraining php-fpm writeable paths to content directories; reverse-proxy ACL blocking external access to /webservice/soap/ until patched.