CVE-2025-50197 is an OS Command Injection vulnerability classified under CWE-78, found in the Chamilo Learning Management System (LMS) prior to version 1.11.30. The vulnerability resides in the /main/admin/sub_language_ajax.inc.php script, specifically in the handling of the POST parameter 'new_language'. Due to improper neutralization of special elements in this parameter, an attacker with high privileges can inject and execute arbitrary operating system commands on the server hosting the LMS. The vulnerability does not require user interaction but does require the attacker to have authenticated access with elevated privileges, such as an administrator or privileged user. The CVSS v4.0 base score is 7.1, reflecting a high severity with network attack vector, low attack complexity, no user interaction, and significant impacts on confidentiality, integrity, and availability. The scope is limited to the affected Chamilo LMS installations running versions older than 1.11.30. No public exploits have been reported yet, but the vulnerability poses a critical risk due to the potential for full system compromise. The flaw was reserved in June 2025 and published in March 2026, with the vendor releasing a patch in version 1.11.30 to address the issue by properly sanitizing the 'new_language' parameter to prevent command injection.

The impact of this vulnerability is substantial for organizations using vulnerable versions of Chamilo LMS. Successful exploitation allows attackers with high privileges to execute arbitrary OS commands, potentially leading to full system compromise. This can result in unauthorized data access or modification, disruption of LMS services, and lateral movement within the network. Confidentiality is at risk as sensitive educational data and user information may be exposed. Integrity can be compromised through unauthorized changes to system files or data. Availability may be affected if attackers disrupt LMS operations or deploy ransomware or destructive payloads. Given Chamilo's role in education and training, such disruptions can affect academic continuity and organizational reputation. The requirement for high privileges limits exploitation to insiders or compromised accounts, but the ease of exploitation and network accessibility increase the threat level. Organizations relying on Chamilo LMS for critical training or educational services worldwide should consider this vulnerability a high priority for remediation.

The primary mitigation is to upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability has been patched. Organizations should verify their LMS version and apply the update promptly. Additionally, implement strict access controls to limit administrative privileges to trusted personnel only, reducing the risk of insider threats or compromised accounts being leveraged. Employ network segmentation to isolate LMS servers from broader enterprise networks, minimizing lateral movement opportunities. Enable comprehensive logging and monitoring of administrative actions and unusual command executions on LMS servers to detect potential exploitation attempts early. Conduct regular security audits and vulnerability scans focused on web application inputs to identify similar injection flaws. If immediate patching is not feasible, consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious command injection patterns in POST requests targeting the 'new_language' parameter. Finally, educate administrators on secure coding and parameter validation best practices to prevent recurrence.