Critical vulnerability reported in Chamilo E-Learning platform
Take action: If you are running Chamilo E-Learning platform, time to update it ASAP. You can buy yourself more time by isolating the platform from the Internet, but in most cases that won't be possible. So don't delay because hackers will automate this exploit very soon.
Learn More
Security researcher Vladimir Vlasov from Positive Technologies (PT SWARM) has discovered a critical vulnerability in Chamilo, a widely-used open-source e-learning and content management system.
The vulnerabiity is tracked as CVE-2024-50337 (CVSS score 9.8). It allows attackers to send unfiltered SOAP requests that could enable remote code execution. The security flaw potentially enables attackers to gain full control over website content, elevate privileges within the system, infiltrate an organization's internal network and distribute malware.
Affected versions: Chamilo 1.11.0 through 1.11.26, with version 1.11.10 (representing 40% of all installations) being particularly vulnerable
As of January 2025, approximately 486 remotely accessible and vulnerable Chamilo systems were identified worldwide, with 32% being in the United States, 12% in France and 9% in Germany. Per the install base stats of Chamilo, the vulnerability puts approximately 40 million registered accounts at risk, exposing educational institutions and companies using the platform for corporate training.
The Chamilo development team has patched the vulnerability in version 1.11.28. Users are strongly advised to update to Chamilo version 1.11.28 or later. If updates aren't immediately possible, ensure that call_user_func_array is not listed among disabled functions in the php.ini configuration file.
