Chamilo LMS, an open-source learning management system widely used in educational environments, is affected by a critical deserialization vulnerability identified as CVE-2025-50198 (CWE-502). The vulnerability exists in versions prior to 1.11.30 within the /plugin/vchamilo/views/import.php script, specifically in the handling of POST parameters: configuration_file, course_path, and home_path. These parameters accept serialized data that is not properly validated or sanitized before deserialization, enabling attackers to craft malicious serialized payloads that, when processed, can lead to remote code execution (RCE). The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network (AV:N, AC:L, PR:N, UI:N). The CVSS 4.0 base score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no public exploits have been observed in the wild, the vulnerability poses a significant risk due to the potential for full system compromise. The issue was addressed and patched in Chamilo LMS version 1.11.30, which includes proper validation and safe deserialization mechanisms to prevent exploitation. Organizations running affected versions should prioritize upgrading to mitigate this threat.

Exploitation of CVE-2025-50198 can lead to complete compromise of the affected Chamilo LMS server, allowing attackers to execute arbitrary code remotely. This can result in unauthorized access to sensitive educational data, manipulation or deletion of course content, disruption of LMS availability, and potential lateral movement within the victim network. The breach of confidentiality could expose student records and institutional data, while integrity violations could undermine trust in the LMS platform. Availability impacts could disrupt educational activities and services dependent on Chamilo. Given the lack of authentication and user interaction requirements, the vulnerability can be exploited by any remote attacker scanning for vulnerable instances. The widespread use of Chamilo LMS in academic institutions globally amplifies the potential impact, especially where patching is delayed or where network defenses are insufficient. Organizations failing to remediate may face data breaches, reputational damage, and operational downtime.

1. Immediately upgrade all Chamilo LMS instances to version 1.11.30 or later, where the vulnerability is patched. 2. Restrict network access to the /plugin/vchamilo/views/import.php endpoint, limiting it to trusted administrators or internal networks only. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious POST requests containing serialized data targeting the vulnerable parameters. 4. Conduct thorough logging and monitoring of LMS web traffic for anomalous activity indicative of exploitation attempts. 5. Review and harden server configurations to minimize the impact of potential code execution, including running Chamilo under least privilege accounts and isolating it in containerized or sandboxed environments. 6. Educate LMS administrators about the risks of deserialization vulnerabilities and the importance of timely patching. 7. If immediate patching is not feasible, consider disabling or restricting the import functionality temporarily to reduce attack surface.