CVE-2025-10072 is a medium-severity vulnerability affecting Portabilis i-Educar versions up to 2.10. The vulnerability arises from improper access controls in the processing of the URL path /matricula/[ID_STUDENT]/enturmar/. This endpoint appears to handle student enrollment or class assignment data. Due to insufficient validation or authorization checks, an attacker can remotely manipulate this endpoint to gain unauthorized access or perform unauthorized actions related to student enrollment data. The vulnerability does not require user interaction or authentication, making it remotely exploitable over the network with low attack complexity. The CVSS 4.0 vector indicates no privileges are required (PR:L means low privileges, but AT:N means no authentication needed), no user interaction, and partial impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the exploit code has been made public, increasing the risk of exploitation. The vulnerability affects multiple versions from 2.0 through 2.10, indicating a long-standing issue in the product. The lack of patch links suggests that a fix may not yet be available or publicly disclosed. The vulnerability could allow attackers to access or modify sensitive student enrollment data, potentially leading to data breaches, unauthorized data manipulation, or disruption of educational administrative processes.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk to the confidentiality and integrity of student data. Unauthorized access to enrollment information could lead to privacy violations under GDPR, exposing institutions to regulatory penalties and reputational damage. Manipulation of enrollment data could disrupt academic records, affecting student progression and institutional operations. Since the vulnerability is remotely exploitable without authentication, attackers could leverage it to compromise multiple systems across networks, potentially leading to broader operational impacts. The medium severity indicates moderate risk, but the public availability of exploit code increases the urgency for mitigation. European educational bodies, especially those with digitalized student management systems, must consider this threat seriously to maintain compliance and operational continuity.

Organizations should immediately audit their use of Portabilis i-Educar and identify affected versions in their environment. Until an official patch is released, implement network-level access controls to restrict access to the vulnerable endpoint, such as IP whitelisting or VPN requirements. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting /matricula/[ID_STUDENT]/enturmar/. Conduct thorough logging and monitoring of access to this endpoint to detect potential exploitation attempts. Educate IT staff about the vulnerability and the importance of rapid response. Once a patch is available, prioritize its deployment. Additionally, review and strengthen access control mechanisms within the application to ensure proper authorization checks are enforced on sensitive endpoints. Consider isolating the application in a segmented network zone to limit exposure. Regularly back up enrollment data to enable recovery in case of data manipulation.