CVE-2025-50187 is a critical security vulnerability identified in the Chamilo learning management system (LMS), specifically affecting versions prior to 1.11.28. The root cause is an Eval Injection (CWE-95) vulnerability where a parameter received via a SOAP request is dynamically evaluated in the code without proper sanitization or filtering. This improper neutralization allows an attacker to inject malicious directives or code that the system executes, leading to remote code execution (RCE). The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction, making it highly dangerous. The CVSS v3.1 base score is 9.8, reflecting the ease of exploitation and the severe impact on confidentiality, integrity, and availability of the affected systems. Exploiting this flaw could allow attackers to fully compromise the server hosting Chamilo LMS, potentially leading to data theft, system manipulation, or denial of service. Although no known exploits are currently reported in the wild, the critical nature of the flaw and the widespread use of Chamilo in educational institutions worldwide make it a significant threat. The vulnerability was publicly disclosed in March 2026 and has been addressed in Chamilo LMS version 1.11.28. The patch removes the unsafe evaluation of SOAP parameters and implements proper input validation to prevent code injection. Organizations running vulnerable versions should prioritize upgrading to the patched release to eliminate this critical risk.

The impact of CVE-2025-50187 is severe and multifaceted. Successful exploitation results in remote code execution on the affected Chamilo LMS server, granting attackers full control over the system. This can lead to unauthorized access to sensitive educational data, including student records, grades, and personal information, violating confidentiality. Attackers can alter or delete data, undermining data integrity, or disrupt LMS availability by executing destructive commands or deploying ransomware. The compromise of LMS infrastructure can also serve as a pivot point for further attacks within an organization's network. Given Chamilo's role in managing critical educational workflows, such disruptions can severely affect institutional operations and trust. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially in environments where Chamilo LMS is exposed to the internet. Organizations worldwide using vulnerable versions face significant operational, reputational, and compliance risks if exploited.

To mitigate CVE-2025-50187, organizations should immediately upgrade Chamilo LMS to version 1.11.28 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement strict network-level controls to restrict access to the SOAP interface, such as IP whitelisting or VPN-only access. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SOAP requests containing potentially malicious code or unusual payloads. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters processed by dynamic evaluation functions. Regularly audit and monitor LMS logs for unusual activity indicative of exploitation attempts. Additionally, isolate the LMS server within a segmented network zone to limit lateral movement in case of compromise. Maintain up-to-date backups of LMS data and system configurations to enable rapid recovery. Finally, educate administrators and developers about secure coding practices to prevent similar vulnerabilities in future releases.