ctipilot.ch

ILIAS LMS

trend · trend:ilias-lms-nine-fixes-2026-05-27-tileimageupload-unauth-write-soap-access-bypass

ILIAS LMS — nine fixes shipped 2026-05-27; critical access-control gaps (CVSS 9.8 + 9.3); NCSC.ch flags SOAP interface as primary unauthenticated attack surface

Coverage timeline
2
first 2026-05-25 → last 2026-05-28
Entries
2
2 distinct days
Sources cited
4
4 hosts
Sections touched
2
active-threats, weekly-sector-patterns
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-28ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface
    active-threatsILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack
  2. 2026-05-25Public administration & identity (CH / DACH lead) — the LMS, SSO and e-government estate under multi-product pressure
    weekly-sector-patternsPublic administration & identity (CH / DACH lead) — the LMS, SSO and e-government estate under multi-product pressure

Where this entity is cited

  • weekly-sector-patterns1
  • active-threats1

Source distribution

  • apereo.github.io1 (25%)
  • docu.ilias.de1 (25%)
  • security-hub.ncsc.admin.ch1 (25%)
  • wid.cert-bund.de1 (25%)

Related entities

Entries about ILIAS LMS (2)

2026-05-28 · view entry permalink →

ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface

high threat discovered 2026-05-28 05:00 UTC

The ILIAS Security Group released a coordinated nine-issue security update on 2026-05-27 covering the open-source Learning Management System that dominates the CH/DE/AT public-sector e-learning estate: Swiss federal training portals, NATO DEEP ADL, and the majority of Swiss and German university LMS deployments (ILIAS Security Blog, 2026-05-27; NCSC-CH, 2026-05-27; BSI CERT-Bund WID-SEC-2026-1689, 2026-05-27). CVE identifiers were not assigned in the BSI CSAF document; the vendor uses internal MantisBT IDs.

Two issues are rated critical by the vendor. MantisBT 0047787 (CVSS 4.0: 9.8) is a missing access-control check in TileImageUploadHandler; an attacker with network access to the upload endpoint can write arbitrary files, bypassing authentication entirely — the textbook prerequisite for arbitrary file write to RCE on a PHP application. MantisBT 0047691 (CVSS 4.0: 9.3) is a post-auth SQL injection in the MyStaff module. Companion high-severity findings: MantisBT 0047581 (CVSS 8.7) — broken access-control in the SOAP interface permitting unauthenticated SOAP calls; MantisBT 0047472 (CVSS 7.1) — SQL injection reachable via the SOAP API; MantisBT 0047770 (CVSS 8.5) and 0047778 (CVSS 8.1) — sort-field and SCORM2004-module SQLi paths; MantisBT 0047258 — unauthorized SOAP function calls.

Why it matters to us: ILIAS is mission-critical for Swiss federal civil-servant training and Swiss/DACH academic certification — a compromise of the LMS exposes course content, learner PII, certification records, and any HR/IDP integration on the SOAP interface. NCSC.ch's recommended interim mitigation is to disable the SOAP interface on any deployment that does not require it for enterprise HR / SIS integration. Patched branches: 9.20, 10.8, 11.1. Detection concepts: monitor web-server access logs for POSTs to TileImageUploadHandler without a valid session cookie; flag any request to /ilias.php?baseClass=ilSOAPExplorer or the SOAP WSDL endpoint from non-internal source IPs. Hardening: AppArmor/SELinux profile constraining php-fpm writeable paths to content directories; reverse-proxy ACL blocking external access to /webservice/soap/ until patched.

vulnerabilities pre-auth rce auth-bypass sqli switzerland dach europe

2026-05-25 · view entry permalink →

Public administration & identity (CH / DACH lead) — the LMS, SSO and e-government estate under multi-product pressure

notable synthesis discovered 2026-05-25 05:00 UTC

The week put the public-sector identity and web estate under pressure from several directions at once, with a direct Swiss nexus. ILIAS LMS — the open-source learning platform deployed across German and Swiss public-sector and university estates — shipped nine fixes on 2026-05-27 including two critical access-control gaps (CVSS 9.8 and 9.3), with NCSC.ch flagging the SOAP interface as the primary unauthenticated attack surface (2026-05-28). In parallel, Apereo CAS patched an OIDC-provider flaw that was reported by Coop Switzerland, with CERT-FR issuing CERTFR-2026-AVI-0654 (2026-05-29) — relevant to any CH/EU entity running CAS as an OpenID Connect IdP. Further afield in the same estate class, Lithuania's Centre of Registers lost ~600,000 state-register records to abused institutional credentials with a foreign state suspected (2026-05-27), and Poland's Szafir SDK signature-verification bypass (CVE-2026-9058) struck e-government signing (2026-05-26). The cross-cutting takeaway: the contested surface for public administration this week was the identity and document/learning-platform middleware (SOAP endpoints, OIDC providers, signature SDKs), not the citizen-facing front ends.

vulnerabilities identity auth-bypass pre-auth switzerland dach europe