CVE-2025-50187

CriticalPublic PoC

Published: 02 March 2026

Published

02 March 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0060 69.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly requires timely flaw remediation by applying the patch released in Chamilo version 1.11.28 to eliminate the RCE vulnerability.

SI-10 Information Input Validation good match

prevent

Mandates validation and filtering of untrusted SOAP request parameters to prevent arbitrary code injection via dynamic evaluation.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning identifies deployed instances of vulnerable Chamilo versions prior to exploitation.

Security SummaryAI

CVE-2025-50187 is a critical remote code execution (RCE) vulnerability in Chamilo, an open-source learning management system. In versions prior to 1.11.28, a parameter from a SOAP request is evaluated without proper filtering, allowing arbitrary code injection. This flaw is categorized under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and comprehensive impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by any unauthenticated attacker with network access to the Chamilo instance. Exploitation requires low complexity and no user interaction, enabling the attacker to execute arbitrary code on the server, potentially leading to full system compromise, data theft, or further lateral movement within the environment.

Chamilo has patched this issue in version 1.11.28. Administrators are advised to upgrade immediately to mitigate the risk. Additional details are available in the GitHub security advisory (GHSA-356v-7xg2-3678) at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-356v-7xg2-3678 and the release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.28.

Details

CWE(s): CWE-95

Affected Products

chamilo

chamilo lms

≤ 1.11.28

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-50187 enables unauthenticated remote code execution via exploitation of a public-facing SOAP endpoint in the Chamilo web application, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.28
Product, Release Notes · security-advisories@github.com
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-356v-7xg2-3678
Exploit, Vendor Advisory · security-advisories@github.com