CVE-2025-52998
Published: 02 March 2026
Summary
CVE-2025-52998 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the unsafe deserialization flaw in Chamilo prior to version 1.11.30 by applying the available patch.
Mandates validation of spoofable serialized data inputs to prevent arbitrary class instantiation and property control that modifies application logic.
Facilitates identification of the CWE-502 deserialization vulnerability through vulnerability scanning, enabling prioritization for patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in public-facing Chamilo web application enables unauthenticated remote exploitation, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus…
more
modify the logic of the web application's operation. This issue has been patched in version 1.11.30.
Deeper analysisAI
CVE-2025-52998 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Chamilo, an open-source learning management system, in versions prior to 1.11.30. The issue arises from unsafe deserialization of spoofable data (CWE-502), enabling attackers to instantiate arbitrary classes and fully control their properties. This flaw allows modification of the web application's operational logic.
The vulnerability can be exploited remotely by unauthenticated attackers over the network with low attack complexity and no user interaction required. By supplying malicious serialized data, an attacker gains the ability to create objects of arbitrary classes and manipulate their properties, potentially leading to severe impacts on confidentiality, integrity, and availability as reflected in the CVSS scores.
Mitigation is available in Chamilo version 1.11.30, which patches the deserialization flaw. Organizations should upgrade to this version immediately. Key resources include the patching commit at https://github.com/chamilo/chamilo-lms/commit/ba7e15d8cfefcd451de939e98d461b17e72eb627, the release announcement at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30, and the GitHub security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-6mwg-2mw5-rx5v.
Details
- CWE(s)