Welcome to the admin panel. Two SQL injections in Chamilo: How an unauthorized user could hack 40 million accounts
PT SWARM discovered 13 vulnerabilities in Chamilo LMS.
PT SWARM discovered 13 vulnerabilities in Chamilo LMS.
PT SWARM experts identified and helped fix 13 vulnerabilities in Chamilo LMS – a popular open-source platform used by universities, schools, and companies for distance and corporate learning. The platform has about 40 million registered accounts.
Researchers Alexey Solovyev, Nikolai Archakov, and Vladimir Vlasov discovered server-side vulnerabilities. Some of them allowed an attacker not only to access data but also to gain complete control over the system. According to the specialists' assessment, these security flaws created risks for private users and organizations, including the threat of data leaks and lateral movement within the internal network.
Among the discovered flaws were critical vulnerabilities of the classes Deserialization of untrusted data, SQL injection, OS command injection, and Blind SSRF. They opened the possibility to inject malicious data, execute arbitrary commands on the server, and send requests to internal systems on behalf of the application.
Two vulnerabilities of the SQL injection class were particularly dangerous, allowing unauthorized users to query the database and obtain confidential information. Subsequently, an attacker could gain access to the admin panel and execute arbitrary code through deserialization errors or command injections.
Below is the complete list of all identified security issues in Chamilo LMS:
PT-2025-35787 / BDU:2025-06901 — CVSS 8.5
PT-2025-35788 / BDU:2025-06902 — CVSS 8.5
PT-2025-35789 / BDU:2025-06903 — CVSS 9.4
PT-2025-35790 / BDU:2025-06904 — CVSS 9.4
PT-2025-35791 / BDU:2025-06905 — CVSS 9.4
PT-2025-37308 / BDU:2025-06906 — CVSS 8.7
PT-2025-37309 / BDU:2025-06907 — CVSS 8.7
PT-2025-37310 / BDU:2025-06908 — CVSS 8.7
PT-2025-37375 / BDU:2025-06909 — CVSS 8.7
PT-2025-37376 / BDU:2025-06910 — CVSS 8.7
PT-2025-37377 / BDU:2025-06911 — CVSS 9.0
PT-2025-37378 / BDU:2025-06912 — CVSS 7.8
PT-2025-39654 / BDU:2025-11697 — CVSS 8.0
All security issues were promptly fixed in the Chamilo LMS 1.11.32 update. Users are strongly advised to install the new version as soon as possible.
For older builds (from 1.11.x to 1.11.28), official remediation guidance is available, published by the developers on GitHub. It includes temporary fixes for SQL injections and data deserialization.
PT SWARM continues to collaborate with the authors of open-source projects, helping to improve the security of popular solutions used in education and business.
