CVE-2025-50195 identifies an OS Command Injection vulnerability in Chamilo LMS, a widely used open-source learning management system. The vulnerability is located in the /plugin/vchamilo/views/manage.controller.php script in versions prior to 1.11.30. OS Command Injection (CWE-78) occurs when untrusted input is improperly sanitized and passed to system-level commands, enabling attackers to execute arbitrary commands on the host operating system. In this case, the vulnerability requires the attacker to have high privileges (PR:H) but does not require user interaction (UI:N) or authentication bypass (AT:N). The CVSS 4.0 score of 7.1 reflects a high severity due to the network attack vector (AV:N), low attack complexity (AC:L), and significant impacts on confidentiality, integrity, and availability (each rated high or low as per vector). Exploiting this vulnerability could allow an attacker to execute arbitrary OS commands, potentially leading to full system compromise, data theft, or service disruption. Although no known exploits are reported in the wild, the vulnerability's presence in a critical component of Chamilo LMS makes it a serious risk for educational institutions and organizations relying on this platform. The vendor has patched the issue in version 1.11.30, and users are urged to upgrade promptly.

The impact of CVE-2025-50195 is substantial for organizations using vulnerable versions of Chamilo LMS. Successful exploitation can lead to arbitrary OS command execution, which may result in unauthorized data access, data modification, or deletion, and disruption of LMS services. This can compromise the confidentiality of sensitive educational data, the integrity of course content and user records, and the availability of the LMS platform. Given Chamilo's role in managing learning environments, such disruptions can affect educational continuity and institutional reputation. Attackers with high privileges can leverage this vulnerability to pivot within the network, escalate privileges further, or deploy malware. The lack of required user interaction simplifies exploitation once access is gained, increasing risk. Although no active exploits are known, the vulnerability remains a critical threat until patched, especially in environments where Chamilo LMS is exposed to untrusted networks or users with elevated privileges.

To mitigate CVE-2025-50195, organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability has been patched. Until upgrading is possible, restrict access to the vulnerable /plugin/vchamilo/views/manage.controller.php endpoint by implementing network-level controls such as firewalls or web application firewalls (WAFs) to block unauthorized requests. Enforce the principle of least privilege by limiting user accounts with high privileges and regularly auditing these accounts for suspicious activity. Employ input validation and sanitization on any user-supplied data interacting with system commands, if custom modifications exist. Monitor system and application logs for unusual command execution patterns or access attempts to the vulnerable endpoint. Additionally, isolate the LMS environment from critical internal networks to reduce lateral movement risk. Regularly review and apply security updates from Chamilo and maintain an incident response plan tailored to LMS compromises.