PT SWARM expert Vladimir Vlasov discovered a critical vulnerability in Chamilo, an open-source e-learning and content management system. According to the platform's developer, approximately 40 million accounts were registered on the platform by early 2025. Chamilo is used by students and educators, as well as by companies to organize corporate training programs. Exploiting the vulnerability could allow attackers to infiltrate a company's internal network and infect employees' devices with malware. The vendor was notified of the threat in line with the responsible disclosure policy and has already released software patches.

The vulnerability CVE-2024-50337 (BDU:2024-10118) received a CVSS 3.0 score of 9.8. It allowed an attacker to send a SOAP request¹ without parameter filtering, potentially enabling the remote execution of malicious code.

Chamilo versions from 1.11.0 to 1.11.26, including the most widely used version 1.11.10, were affected by the vulnerability. According to vendor statistics, version 1.11.10 accounts for 40% of all installations since the platform's inception. To address the vulnerability, users should promptly update to Chamilo version 1.11.28 or later. If installing security updates is not possible, Vladimir Vlasov recommends ensuring that php.ini configuration file does not include call_user_func_array among the disabled functions.

Chamilo is a free platform for course management, hosting webinars, and creating educational materials. It is particularly popular among Spanish, English, and French-speaking users. As of January 2025, open-source data indicated that there were 486 remotely accessible and vulnerable Chamilo systems worldwide. Most of these systems are located in the U.S. (32%), followed by France (12%), Germany (9%), Brazil (5%), and Belgium, Mexico, and Canada (4% each).

Vladimir Vlasov, Senior Banking Security Specialist at Positive Technologies, explained: "Chamilo is used by educational institutions and companies that provide training for their employees. Before the vulnerability was addressed, both regular users and corporate clients with Chamilo installed in their infrastructure were at risk if the vulnerability was exploited. The flaw could have allowed a potential intruder to gain full control over the website's content, elevate privileges, and infiltrate the organization's internal network. Once attackers gained a foothold on the server, they could have attempted to infect employees' devices with malware."

To block attempts to execute malicious code, we recommend using web application firewalls like PT Application Firewall or its cloud version PT Cloud Application Firewall. The product helps protect applications without any modifications, preventing hackers from penetrating the server. NTA solutions, such as PT Network Attack Discovery, and network traffic analysis tools, like PT NGFW, will help you promptly detect attempts to exploit vulnerabilities within your company's network perimeter. Next-generation firewalls go beyond merely detecting exploitation attempts—they prevent them by using an IPS module.