ShinyHunters Exploits Zero‑Day to Deface Canvas Login Portals at 300+ Colleges

On March 12, 2025, the ShinyHunters ransomware group successfully compromised Instructure, the maker of the Canvas learning management system, by exploiting a previously unknown vulnerability in the platform’s authentication infrastructure. The flaw, tracked as CVE‑2025‑2147, allowed the attackers to inject malicious code into the Canvas login portal without providing valid credentials. By targeting more than 300 colleges and universities across the United States, Canada, and the United Kingdom, the group succeeded in replacing the standard login page with a ransom note demanding $5 million in Bitcoin.

The vulnerability resided in the LTI 1.3 Advantage assertion validation routine that Canvas uses to authenticate third‑party tool launches. A misconfigured JWT signature verification step permitted an unauthenticated request to include arbitrary HTML within the portal’s “customize” parameter, which was then rendered without proper sanitization. The injected JavaScript created a full‑screen overlay displaying the extortion message and silently harvested session cookies by sending them to an attacker‑controlled endpoint. Forensic analysis revealed that the threat actors leveraged a compromised administrative API key to propagate the malicious payload across all affected instances.

Instructure’s security team discovered the defacement during a routine monitoring sweep on March 15 and immediately isolated the compromised servers to prevent further spread. The company released an emergency patch (Canvas 2025.02.1) that corrected the JWT validation logic, enforced stricter Content‑Security‑Policy headers, and revoked the abused admin credentials. Institutions were instructed to apply the update, rotate all API keys, and reset passwords for privileged accounts. Instructure also notified the FBI’s Cyber Division and cooperated with external investigators to trace the attack chain.

ShinyHunters, known for previous high‑profile data leaks on dark‑web forums, has threatened to publish exfiltrated student and faculty records if the ransom remains unpaid. Security researchers recommend that affected schools audit their Canvas API logs for unusual POST requests to the “/api/v1/customize” endpoint, enforce multi‑factor authentication on all admin accounts, and deploy web‑application firewalls to detect similar injection attempts. The incident underscores the ongoing risk posed by unpatched zero‑day flaws in educational technology platforms and highlights the need for rapid incident‑response coordination between vendors and institutions.