CVE-2025-50198
Deserialization Vulnerability in Chamilo LMS Allows Remote Exploitation
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability impact me? :
This vulnerability can lead to significant impacts including low confidentiality and integrity loss but a high impact on availability due to potential system compromise.
An attacker can execute arbitrary code on the server, delete or move files, and gain a reverse shell, effectively taking control of the system.
Such control can disrupt the availability of the Chamilo LMS service, potentially causing downtime or data loss.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-50198 is a high-severity vulnerability in Chamilo LMS versions prior to 1.11.30 caused by deserialization of untrusted data in the /plugin/vchamilo/views/import.php script via POST parameters configuration_file, course_path, and home_path.'}, {'type': 'paragraph', 'content': "An attacker with administrator privileges can craft malicious serialized PHP objects that, when deserialized, allow arbitrary object instantiation and manipulation, altering the application's logic."}, {'type': 'paragraph', 'content': "This vulnerability exploits PHP's native functions like is_dir, file_exists, and is_readable called with attacker-controlled input, enabling a deserialization chain that can lead to dangerous actions such as file deletion, file movement, or arbitrary code execution."}, {'type': 'paragraph', 'content': "Exploitation involves uploading a malicious phar archive (e.g., test.phar) using a user account with Learner role, which is then processed by the administrator triggering the vulnerable import.php script, resulting in execution of the attacker's payload and a reverse shell connection."}, {'type': 'paragraph', 'content': 'Mitigations include blocking untrusted deserialized data, replacing serialized objects with safer formats like JSON or XML, implementing data integrity checks, and validating input during deserialization.'}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for attempts to exploit the deserialization flaw in the /plugin/vchamilo/views/import.php endpoint, specifically via POST requests containing the parameters configuration_file, course_path, and home_path.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting web server logs for suspicious POST requests to import.php that include unusual or serialized PHP object data, especially those containing phar:// stream wrappers or .phar file uploads.'}, {'type': 'paragraph', 'content': 'Since exploitation involves uploading a malicious phar archive (e.g., test.phar) and then triggering deserialization, commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Checking for .phar files in upload directories: `find /path/to/chamilo/uploads -name '*.phar'`"}, {'type': 'list_item', 'content': "Searching web server access logs for POST requests to import.php: `grep 'POST /plugin/vchamilo/views/import.php' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': "Inspecting logs for suspicious serialized payloads or phar stream usage: `grep -i 'phar://' /var/log/apache2/access.log` or `grep -i 'configuration_file' /var/log/apache2/access.log`"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for reverse shell connections or unusual outbound network connections from the server may help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Chamilo LMS to version 1.11.30 or later, where the vulnerability has been patched.
If upgrading is not immediately possible, consider the following measures:
- Configure the web server to block or restrict deserialization of untrusted data, especially blocking POST requests to /plugin/vchamilo/views/import.php that contain suspicious serialized data.
- Replace serialized PHP objects with safer data formats such as JSON or XML where possible.
- Implement data integrity checks like HMAC to verify the authenticity of deserialized data.
- Validate and sanitize all input parameters explicitly, avoiding direct deserialization of user-controlled data.
- Restrict file uploads to safe file types and block .phar files or other archive formats that can be used for deserialization attacks.
These steps reduce the risk of exploitation by preventing malicious payloads from being processed or executed.