Cyber Resilience

CVE-2025-50187

CriticalPublic PoCRCE

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0088 54.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-50187 is a critical-severity Eval Injection (CWE-95) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-50187 is a critical remote code execution (RCE) vulnerability in Chamilo, an open-source learning management system. In versions prior to 1.11.28, a parameter from a SOAP request is evaluated without proper filtering, allowing arbitrary code injection. This flaw is categorized under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and comprehensive impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by any unauthenticated attacker with network access to the Chamilo instance. Exploitation requires low complexity and no user interaction, enabling the attacker to execute arbitrary code on the server, potentially leading to full system compromise, data theft, or further lateral movement within the environment.

Chamilo has patched this issue in version 1.11.28. Administrators are advised to upgrade immediately to mitigate the risk. Additional details are available in the GitHub security advisory (GHSA-356v-7xg2-3678) at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-356v-7xg2-3678 and the release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.28.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-50187 enables unauthenticated remote code execution via exploitation of a public-facing SOAP endpoint in the Chamilo web application, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33618Same product: Chamilo Chamilo Lms
CVE-2025-52998Same product: Chamilo Chamilo Lms
CVE-2025-50192Same product: Chamilo Chamilo Lms
CVE-2025-52469Same product: Chamilo Chamilo Lms
CVE-2024-47886Same product: Chamilo Chamilo Lms
CVE-2025-50188Same product: Chamilo Chamilo Lms
CVE-2026-33710Same product: Chamilo Chamilo Lms
CVE-2025-50190Same product: Chamilo Chamilo Lms
CVE-2026-30875Same product: Chamilo Chamilo Lms
CVE-2025-50197Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
≤ 1.11.28

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly requires timely flaw remediation by applying the patch released in Chamilo version 1.11.28 to eliminate the RCE vulnerability.

prevent

Mandates validation and filtering of untrusted SOAP request parameters to prevent arbitrary code injection via dynamic evaluation.

detect

Vulnerability scanning identifies deployed instances of vulnerable Chamilo versions prior to exploitation.

References