CVE-2025-10012 is a medium severity SQL Injection vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10. The vulnerability resides in an unspecified function within the file educar_historico_escolar_lst.php, specifically involving the manipulation of the argument ref_cod_aluno. An attacker can exploit this flaw by crafting malicious input for this parameter, which is not properly sanitized, allowing arbitrary SQL commands to be injected and executed on the backend database. This vulnerability can be exploited remotely without requiring user interaction or authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3, reflecting a network attack vector with low complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is rated low, indicating that while the attacker can execute SQL commands, the scope of damage or data exposure is limited or partially mitigated. No public exploits are currently known in the wild, but the vulnerability details have been publicly disclosed, which could lead to future exploitation attempts. The lack of available patches or mitigation links suggests that organizations must proactively apply custom mitigations or await vendor updates. Given that i-Educar is an educational management system, the vulnerability could expose sensitive student records or allow unauthorized data manipulation within educational institutions using this software.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to student data, including academic records and personal information. Successful exploitation could lead to data breaches, undermining privacy compliance obligations under GDPR and damaging institutional reputation. Although the CVSS score indicates a medium severity with limited impact, the ability to execute arbitrary SQL commands remotely without authentication means attackers could potentially escalate the attack to extract or alter sensitive data. This could disrupt educational operations, lead to data integrity issues, and require costly incident response efforts. The exposure of personal data could also trigger regulatory penalties. Since i-Educar is primarily used in educational environments, the impact is concentrated but significant for affected entities. The lack of known exploits in the wild currently reduces immediate risk, but public disclosure increases the likelihood of future attacks, making timely mitigation critical.

Organizations should immediately audit their use of Portabilis i-Educar versions 2.0 through 2.10 and identify instances of the vulnerable component educar_historico_escolar_lst.php. Until official patches are released, implement input validation and sanitization on the ref_cod_aluno parameter to block malicious SQL payloads. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting this parameter. Restrict database user permissions to the minimum necessary to limit the impact of any injection. Monitor application logs for unusual query patterns or errors indicative of injection attempts. Conduct penetration testing focused on SQL injection vectors to verify mitigation effectiveness. Engage with the vendor for patch timelines and apply updates promptly once available. Additionally, ensure regular backups of the database to enable recovery in case of data corruption or loss. Educate IT staff and developers on secure coding practices to prevent similar vulnerabilities in custom modules or integrations.