CVE-2025-52998

Critical

Published: 02 March 2026

Published

02 March 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus…

modify the logic of the web application's operation. This issue has been patched in version 1.11.30.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the unsafe deserialization flaw in Chamilo prior to version 1.11.30 by applying the available patch.

SI-10 Information Input Validation good match

prevent

Mandates validation of spoofable serialized data inputs to prevent arbitrary class instantiation and property control that modifies application logic.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Facilitates identification of the CWE-502 deserialization vulnerability through vulnerability scanning, enabling prioritization for patching.

Security SummaryAI

CVE-2025-52998 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Chamilo, an open-source learning management system, in versions prior to 1.11.30. The issue arises from unsafe deserialization of spoofable data (CWE-502), enabling attackers to instantiate arbitrary classes and fully control their properties. This flaw allows modification of the web application's operational logic.

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low attack complexity and no user interaction required. By supplying malicious serialized data, an attacker gains the ability to create objects of arbitrary classes and manipulate their properties, potentially leading to severe impacts on confidentiality, integrity, and availability as reflected in the CVSS scores.

Mitigation is available in Chamilo version 1.11.30, which patches the deserialization flaw. Organizations should upgrade to this version immediately. Key resources include the patching commit at https://github.com/chamilo/chamilo-lms/commit/ba7e15d8cfefcd451de939e98d461b17e72eb627, the release announcement at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30, and the GitHub security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-6mwg-2mw5-rx5v.

Details

CWE(s): CWE-502

Affected Products

chamilo

chamilo lms

≤ 1.11.30

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unsafe deserialization in public-facing Chamilo web application enables unauthenticated remote exploitation, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/chamilo/chamilo-lms/commit/ba7e15d8cfefcd451de939e98d461b17e72eb627
Patch · security-advisories@github.com
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
Product, Release Notes · security-advisories@github.com
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-6mwg-2mw5-rx5v
Patch, Vendor Advisory · security-advisories@github.com