CVE-2025-50187
Published: 02 March 2026
Summary
CVE-2025-50187 is a critical-severity Eval Injection (CWE-95) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely flaw remediation by applying the patch released in Chamilo version 1.11.28 to eliminate the RCE vulnerability.
Mandates validation and filtering of untrusted SOAP request parameters to prevent arbitrary code injection via dynamic evaluation.
Vulnerability scanning identifies deployed instances of vulnerable Chamilo versions prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-50187 enables unauthenticated remote code execution via exploitation of a public-facing SOAP endpoint in the Chamilo web application, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.
Deeper analysisAI
CVE-2025-50187 is a critical remote code execution (RCE) vulnerability in Chamilo, an open-source learning management system. In versions prior to 1.11.28, a parameter from a SOAP request is evaluated without proper filtering, allowing arbitrary code injection. This flaw is categorized under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and comprehensive impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by any unauthenticated attacker with network access to the Chamilo instance. Exploitation requires low complexity and no user interaction, enabling the attacker to execute arbitrary code on the server, potentially leading to full system compromise, data theft, or further lateral movement within the environment.
Chamilo has patched this issue in version 1.11.28. Administrators are advised to upgrade immediately to mitigate the risk. Additional details are available in the GitHub security advisory (GHSA-356v-7xg2-3678) at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-356v-7xg2-3678 and the release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.28.
Details
- CWE(s)