Chamilo LMS versions prior to 1.11.28 are vulnerable to unauthenticated Remote Code Execution (RCE) via a SOAP request, posing a critical threat to server integrity.

The vulnerability exists due to the improper evaluation of parameters within SOAP requests. An unauthenticated remote attacker can submit a specially crafted SOAP payload that the application evaluates without sufficient filtering, leading to arbitrary code execution.

The ability to execute remote code allows an attacker to compromise the underlying server, access the database, and potentially pivot into the internal network. With a CVSS score of 9.8, the impact is catastrophic, involving the potential loss of all student and institutional data and total system downtime.

Immediate Action: Upgrade Chamilo LMS to version 1.11.28 or higher immediately to address the insecure parameter evaluation in the SOAP interface.

Proactive Monitoring: Monitor server logs for unusual SOAP requests or unexpected outbound network connections from the LMS web server, which may indicate a successful compromise.

Compensating Controls: Restrict access to the SOAP API endpoints at the network level or via a WAF to only allow traffic from trusted, known IP addresses.

Public Exploit Available: No

The severity of an unauthenticated RCE cannot be overstated. IT administrators should prioritize the deployment of version 1.11.28 and verify that all SOAP-related endpoints are properly secured or restricted to minimize the attack surface.