CVE-2025-10072 is a medium severity vulnerability affecting Portabilis i-Educar versions up to 2.10. The vulnerability arises from improper access controls in the processing of the URL path /matricula/[ID_STUDENT]/enturmar/. Specifically, this endpoint does not adequately enforce authorization checks, allowing an attacker to remotely manipulate requests to access or modify data related to student enrollment that they should not be authorized to access. The vulnerability does not require user interaction and can be exploited remotely without authentication, which increases its risk profile. The CVSS 4.0 base score is 5.3, reflecting a network attack vector with low attack complexity and no privileges required, but limited impact on confidentiality, integrity, and availability (all rated low). The vulnerability does not affect system confidentiality, integrity, or availability to a critical extent but could allow unauthorized disclosure or modification of student enrollment data. No official patches or fixes have been linked yet, and while no known exploits are currently reported in the wild, the exploit details have been publicly disclosed, increasing the likelihood of exploitation attempts. Given that i-Educar is an educational management system, the vulnerability could expose sensitive student information or allow unauthorized changes to enrollment records, potentially impacting data privacy and operational integrity in educational institutions using this software.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability could lead to unauthorized access or modification of student enrollment data. This may result in breaches of student privacy, violations of data protection regulations such as GDPR, and potential reputational damage. Although the impact on system availability is low, the integrity and confidentiality of sensitive educational records could be compromised. This could affect administrative processes, student record accuracy, and trust in the institution's data management. Furthermore, unauthorized data access could be leveraged for further social engineering or targeted attacks against the institution. The medium severity rating suggests that while the threat is not critical, it requires timely attention to prevent exploitation, especially given the public availability of exploit information.

Organizations should immediately review and restrict access controls on the /matricula/[ID_STUDENT]/enturmar/ endpoint within their i-Educar deployments. Specific mitigation steps include: 1) Implement strict authorization checks to ensure that users can only access or modify enrollment data for students they are authorized to manage. 2) Monitor and log access to this endpoint for unusual or unauthorized activity. 3) Apply network-level restrictions such as IP whitelisting or VPN access to limit exposure of the vulnerable endpoint. 4) Conduct a thorough audit of current user permissions and enrollment data access policies. 5) Engage with Portabilis for any forthcoming patches or updates and apply them promptly once available. 6) Educate administrative staff on the risks and signs of potential exploitation. 7) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting this endpoint. These targeted measures go beyond generic advice by focusing on access control enforcement and monitoring specific to the vulnerable functionality.