CVE-2025-10011 is a medium severity SQL Injection vulnerability affecting Portabilis i-Educar versions up to 2.10. The vulnerability resides in an unspecified function within the file /module/TabelaArredondamento/edit, where manipulation of the 'ID' argument allows an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring user interaction or elevated privileges, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), suggesting that while the attacker can manipulate database queries, the scope of damage is somewhat constrained. The vulnerability does not require authentication but does require low privileges, which implies that an attacker with some level of access (e.g., a low-privileged user) can exploit it remotely. Although no public exploits are currently known in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. The vulnerability affects a core module related to data rounding (TabelaArredondamento), which may be critical for educational data processing within the i-Educar platform. Given that i-Educar is an open-source school management system widely used in educational institutions, exploitation could lead to unauthorized data access, data manipulation, or disruption of educational services.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to sensitive student and administrative data. Exploitation could lead to data breaches involving personal information, manipulation of academic records, or denial of service through database corruption. The medium severity indicates a moderate risk; however, the impact could be significant in environments where data integrity and confidentiality are paramount, such as schools and educational authorities. Disruption of educational services could affect operational continuity, compliance with data protection regulations like GDPR, and damage institutional reputation. Since the vulnerability requires low privileges but no user interaction, attackers could leverage compromised low-level accounts or exploit other weaknesses to gain initial access and then perform SQL injection attacks remotely.

Organizations should immediately audit their use of Portabilis i-Educar versions up to 2.10 and plan for an upgrade or patch once available from the vendor. In the absence of an official patch, applying web application firewall (WAF) rules to detect and block SQL injection patterns targeting the /module/TabelaArredondamento/edit endpoint can reduce risk. Restricting access to the affected module to trusted users and networks, implementing strict input validation and parameterized queries in custom deployments, and monitoring logs for suspicious database query patterns are recommended. Additionally, enforcing the principle of least privilege for user accounts can limit the potential for exploitation. Regular security assessments and penetration testing focused on injection flaws should be conducted. Backup and recovery plans must be verified to ensure rapid restoration in case of data corruption.