Chamilo LMS, an open-source learning management system widely used in educational institutions, suffers from a critical deserialization of untrusted data vulnerability identified as CVE-2025-50198 (CWE-502). The vulnerability exists in versions prior to 1.11.30 within the /plugin/vchamilo/views/import.php script, specifically in the processing of POST parameters named configuration_file, course_path, and home_path. Deserialization vulnerabilities occur when untrusted input is deserialized without proper validation, allowing attackers to manipulate serialized objects to execute arbitrary code, escalate privileges, or disrupt service. This vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction needed, with high impact on availability and low to medium impact on confidentiality and integrity. Although no exploits are currently known in the wild, the vulnerability's nature and ease of exploitation pose a significant threat. The issue was patched in Chamilo LMS version 1.11.30, which properly validates and sanitizes input before deserialization, mitigating the risk.

The exploitation of this vulnerability can have severe consequences for organizations using vulnerable Chamilo LMS versions. Attackers can remotely execute arbitrary code, potentially leading to full system compromise, data theft, or destruction. The integrity of educational content and user data can be compromised, undermining trust and operational continuity. Availability may be disrupted through denial-of-service conditions caused by malicious payloads during deserialization. Since no authentication is required, attackers can target publicly accessible Chamilo LMS instances, increasing the attack surface. Educational institutions, training providers, and organizations relying on Chamilo for critical learning infrastructure face risks of data breaches, service outages, and reputational damage. The vulnerability also poses compliance risks related to data protection regulations if sensitive student or staff data is exposed or altered.

Organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. Until patching is possible, restrict access to the /plugin/vchamilo/views/import.php endpoint using network-level controls such as firewalls or web application firewalls (WAFs) to block unauthorized POST requests. Implement strict input validation and sanitization on any custom integrations interacting with Chamilo LMS. Monitor web server and application logs for unusual POST requests targeting the vulnerable parameters (configuration_file, course_path, home_path). Employ runtime application self-protection (RASP) or intrusion detection systems (IDS) to detect and block deserialization attack patterns. Educate administrators about the risks of deserialization vulnerabilities and ensure secure coding practices are followed in any custom plugin development. Regularly audit and update all LMS components to minimize exposure to known vulnerabilities.