Three RCEs in Ilias Learning Management System

Okay, story time: back in 2018, the German government's foreign ministry was hacked.

At the time, a colleague of mine (we were both working for the German IT news magazine Golem) found a web page by a government-associated university that was offline with a message that it's been taken down due to a security issue.

Putting a few hints together, we figured out that Ilias was hosted therer, and that this was how the attack on the government initially started.

We weren't able to figure out which vulnerability was used, but had some ideas what it might've been. (Older versions had a default password for the admin account.)

One wonders: there's an Open Source software that's widely used by universities, even by government-associated universities. It's been the cause of a high-profile attack on a government before. One wonders why that doesn't trigger sufficient funding for regular, high-quality security audits of that software.

Article from 2018: https://www.golem.de/news/government-hack-hack-on-german-gov...

Re: the unauthenticated RCE (CVE-2025-11344), am I to understand that Apache will read and honour any .htaccess file it finds, even outside of the config root path? The lack of file clean-up when handling the exception is one thing... but this .htaccess logic strikes me as a bizarre default (if true).